diff --git a/goldilocks-4.9/.helmignore b/goldilocks-4.9/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/goldilocks-4.9/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/goldilocks-4.9/Chart.lock b/goldilocks-4.9/Chart.lock new file mode 100644 index 0000000..21cd6dc --- /dev/null +++ b/goldilocks-4.9/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: vpa + repository: https://charts.fairwinds.com/stable + version: 2.2.0 +- name: metrics-server + repository: https://charts.bitnami.com/bitnami + version: 6.4.1 +digest: sha256:65dfffdd82f5d6603ee038a3fa3a501efddd36ea79338c8b403e13916f53da51 +generated: "2023-07-20T15:27:42.2213269Z" diff --git a/goldilocks-4.9/Chart.yaml b/goldilocks-4.9/Chart.yaml new file mode 100644 index 0000000..b205b1f --- /dev/null +++ b/goldilocks-4.9/Chart.yaml @@ -0,0 +1,25 @@ +apiVersion: v2 +appVersion: v4.9.0 +dependencies: +- condition: vpa.enabled + name: vpa + repository: https://charts.fairwinds.com/stable + version: 2.2.0 +- condition: metrics-server.enabled + name: metrics-server + repository: https://charts.bitnami.com/bitnami + version: 6.4.1 +description: | + A Helm chart for running Fairwinds Goldilocks. See https://github.com/FairwindsOps/goldilocks +icon: https://raw.githubusercontent.com/FairwindsOps/charts/master/stable/goldilocks/icon.png +keywords: +- goldilocks +- resources +- kubernetes +kubeVersion: '>= 1.22.0-0' +maintainers: +- name: sudermanjr +name: goldilocks +sources: +- https://github.com/FairwindsOps/goldilocks +version: 7.1.1 diff --git a/goldilocks-4.9/README.md b/goldilocks-4.9/README.md new file mode 100644 index 0000000..9dec847 --- /dev/null +++ b/goldilocks-4.9/README.md @@ -0,0 +1,127 @@ +
+Goldilocks +
+
+ +## Intro + +This is a Helm chart for the Fairwinds [Goldilocks project](https://github.com/FairwindsOps/goldilocks). It provides an easy way to install the controller and the dashboard for viewing resource recommendations in your Kubernetes cluster. Please see the [Goldilocks README](https://github.com/FairwindsOps/goldilocks) for more information. + +## Installation +```bash +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install goldilocks fairwinds-stable/goldilocks --namespace goldilocks +``` + +## Requirements + +This has a hard requirement on VPA being installed. Please see the [Goldilocks README](https://github.com/FairwindsOps/goldilocks) + +## vpa subchart + +Fairwinds has published a chart for installing VPA [in our stable repo](https://github.com/FairwindsOps/charts/tree/master/stable/vpa). It can be enabled as a sub-chart by setting `vpa.enabled==true`. We recommend just installing the chart and managing it separately. + +## Major Version Upgrade Notes + +## Upgrading from v6.x.x to v7.x.x + +In this change, the VPA helm chart was upgraded to the latest version, including a major bump. We recommend you to check [the VPA Helm chart changelog](https://github.com/FairwindsOps/charts/tree/master/stable/vpa#breaking-upgrading-from--v17x-to-200) to ensure a smooth upgrade. + +## *BREAKING* Upgrading from v4.x.x to v5.x.x + +The new chart version includes [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) configuration for the `networking.k8s.io/v1` Kubernetes API. + +Because of the new API version, you need to specify `dashboard.ingress.hosts[X].paths[Y].type` when installing this chart with enabled Ingress on a Kubernetes cluster version 1.19+. + +## Upgrading from v3.x.x to v4.x.x + +There are no breaking changes, but the goldilocks controller and dashboard have had some major tweaks so they can work with more workload controllers. To allow v4.0.0+ to work with more than Deployments, the main change here is in RBAC permissions so that the goldilocks service accounts can access all resources in the `apps/v1`. + +## *BREAKING* Upgrading from v2.x.x to v3.x.x + +In this change, the `installVPA` value and corresponding hooks have been removed in favor of the sub-chart. The recommended path forward is to remove the hook-installed resources and manage the VPA installation with the [Fairwinds VPA Chart](https://github.com/FairwindsOps/charts/tree/master/stable/vpa) + +We have kept the `uninstallVPA` flag in place, which will remove a vpa installation that was previously managed by this chart. This flag will be deprecated in a later release. + +## *BREAKING* Upgrading to chart v2.x.x from v1.x.x + +If using `installVPA=true` when updating from v1.x.x to v2.x.x of this chart, there are some considerations. v2.x.x of the chart started only installing the recommender and the necessary CRDs and RBAC from the VPA installation. This is due to the volatile and risky nature of running a beta mutatingadmissionwebhook in your cluster. If you have previously used the `installVPA=true` flag to install the VPA, we recommend that you completely uninstall and re-install the VPA as part of the upgrade. We have provided a new hook to do this that will run before the install hook. + +If upgrading from v1.x.x to v2.x.x we recommend upgrading like so: + +``` +helm upgrade goldilocks fairwinds-stable/goldilocks --set reinstallVPA=true +``` + +This will completely remove the VPA and then re-install it using the new method. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| uninstallVPA | bool | `false` | Enabling this flag will remove a vpa installation that was previously managed with this chart. It is considered deprecated and will be removed in a later release. | +| vpa.enabled | bool | `false` | If true, the vpa will be installed as a sub-chart | +| vpa.updater.enabled | bool | `false` | | +| metrics-server.enabled | bool | `false` | If true, the metrics-server will be installed as a sub-chart | +| metrics-server.apiService.create | bool | `true` | | +| image.repository | string | `"us-docker.pkg.dev/fairwinds-ops/oss/goldilocks"` | Repository for the goldilocks image | +| image.tag | string | `"v4.9.0"` | The goldilocks image tag to use | +| image.pullPolicy | string | `"Always"` | imagePullPolicy - Highly recommended to leave this as `Always` | +| imagePullSecrets | list | `[]` | A list of image pull secret names to use | +| nameOverride | string | `""` | | +| fullnameOverride | string | `""` | | +| controller.enabled | bool | `true` | Whether or not to install the controller deployment | +| controller.revisionHistoryLimit | int | `10` | Number of old replicasets to retain, default is 10, 0 will garbage-collect old replicasets | +| controller.rbac.create | bool | `true` | If set to true, rbac resources will be created for the controller | +| controller.rbac.enableArgoproj | bool | `true` | If set to true, the clusterrole will give access to argoproj.io resources | +| controller.rbac.extraRules | list | `[]` | Extra rbac rules for the controller clusterrole | +| controller.rbac.extraClusterRoleBindings | list | `[]` | A list of ClusterRoles for which ClusterRoleBindings will be created for the ServiceAccount, if enabled | +| controller.serviceAccount.create | bool | `true` | If true, a service account will be created for the controller. If set to false, you must set `controller.serviceAccount.name` | +| controller.serviceAccount.name | string | `nil` | The name of an existing service account to use for the controller. Combined with `controller.serviceAccount.create` | +| controller.flags | object | `{}` | A map of additional flags to pass to the controller | +| controller.logVerbosity | string | `"2"` | Controller log verbosity. Can be set from 1-10 with 10 being extremely verbose | +| controller.nodeSelector | object | `{}` | Node selector for the controller pod | +| controller.tolerations | list | `[]` | Tolerations for the controller pod | +| controller.affinity | object | `{}` | Affinity for the controller pods | +| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints for the controller pods | +| controller.resources | object | `{"limits":{"cpu":"25m","memory":"256Mi"},"requests":{"cpu":"25m","memory":"256Mi"}}` | The resources block for the controller pods | +| controller.podSecurityContext | object | `{}` | Defines the podSecurityContext for the controller pod | +| controller.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":10324}` | The container securityContext for the controller container | +| controller.deployment.extraVolumeMounts | list | `[]` | Extra volume mounts for the controller container | +| controller.deployment.extraVolumes | list | `[]` | Extra volumes for the controller pod | +| controller.deployment.annotations | object | `{}` | Extra annotations for the controller deployment | +| controller.deployment.additionalLabels | object | `{}` | Extra labels for the controller deployment | +| controller.deployment.podAnnotations | object | `{}` | Extra annotations for the controller pod | +| dashboard.basePath | string | `nil` | Path on which the dashboard is served. Defaults to `/` | +| dashboard.enabled | bool | `true` | If true, the dashboard component will be installed | +| dashboard.revisionHistoryLimit | int | `10` | Number of old replicasets to retain, default is 10, 0 will garbage-collect old replicasets | +| dashboard.replicaCount | int | `2` | Number of dashboard pods to run | +| dashboard.service.type | string | `"ClusterIP"` | The type of the dashboard service | +| dashboard.service.port | int | `80` | The port to run the dashboard service on | +| dashboard.service.annotations | object | `{}` | Extra annotations for the dashboard service | +| dashboard.flags | object | `{}` | A map of additional flags to pass to the dashboard | +| dashboard.logVerbosity | string | `"2"` | Dashboard log verbosity. Can be set from 1-10 with 10 being extremely verbose | +| dashboard.excludeContainers | string | `"linkerd-proxy,istio-proxy"` | Container names to exclude from displaying in the Goldilocks dashboard | +| dashboard.rbac.create | bool | `true` | If set to true, rbac resources will be created for the dashboard | +| dashboard.rbac.enableArgoproj | bool | `true` | If set to true, the clusterrole will give access to argoproj.io resources | +| dashboard.serviceAccount.create | bool | `true` | If true, a service account will be created for the dashboard. If set to false, you must set `dashboard.serviceAccount.name` | +| dashboard.serviceAccount.name | string | `nil` | The name of an existing service account to use for the controller. Combined with `dashboard.serviceAccount.create` | +| dashboard.deployment.annotations | object | `{}` | Extra annotations for the dashboard deployment | +| dashboard.deployment.additionalLabels | object | `{}` | Extra labels for the dashboard deployment | +| dashboard.deployment.extraVolumeMounts | list | `[]` | Extra volume mounts for the dashboard container | +| dashboard.deployment.extraVolumes | list | `[]` | Extra volumes for the dashboard pod | +| dashboard.deployment.podAnnotations | object | `{}` | Extra annotations for the dashboard pod | +| dashboard.ingress.enabled | bool | `false` | Enables an ingress object for the dashboard. | +| dashboard.ingress.ingressClassName | string | `nil` | From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. | +| dashboard.ingress.annotations | object | `{}` | | +| dashboard.ingress.hosts[0].host | string | `"chart-example.local"` | | +| dashboard.ingress.hosts[0].paths[0].path | string | `"/"` | | +| dashboard.ingress.hosts[0].paths[0].type | string | `"ImplementationSpecific"` | | +| dashboard.ingress.tls | list | `[]` | | +| dashboard.resources | object | `{"limits":{"cpu":"25m","memory":"256Mi"},"requests":{"cpu":"25m","memory":"256Mi"}}` | A resources block for the dashboard. | +| dashboard.podSecurityContext | object | `{}` | Defines the podSecurityContext for the dashboard pod | +| dashboard.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":10324}` | The container securityContext for the dashboard container | +| dashboard.nodeSelector | object | `{}` | | +| dashboard.tolerations | list | `[]` | | +| dashboard.affinity | object | `{}` | | +| dashboard.topologySpreadConstraints | list | `[]` | Topology spread constraints for the dashboard pods | diff --git a/goldilocks-4.9/README.md.gotmpl b/goldilocks-4.9/README.md.gotmpl new file mode 100644 index 0000000..cdfbbdb --- /dev/null +++ b/goldilocks-4.9/README.md.gotmpl @@ -0,0 +1,58 @@ +
+Goldilocks +
+
+ +## Intro + +This is a Helm chart for the Fairwinds [Goldilocks project](https://github.com/FairwindsOps/goldilocks). It provides an easy way to install the controller and the dashboard for viewing resource recommendations in your Kubernetes cluster. Please see the [Goldilocks README](https://github.com/FairwindsOps/goldilocks) for more information. + +## Installation +```bash +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install goldilocks fairwinds-stable/goldilocks --namespace goldilocks +``` + +## Requirements + +This has a hard requirement on VPA being installed. Please see the [Goldilocks README](https://github.com/FairwindsOps/goldilocks) + +## vpa subchart + +Fairwinds has published a chart for installing VPA [in our stable repo](https://github.com/FairwindsOps/charts/tree/master/stable/vpa). It can be enabled as a sub-chart by setting `vpa.enabled==true`. We recommend just installing the chart and managing it separately. + +## Major Version Upgrade Notes + +## Upgrading from v6.x.x to v7.x.x + +In this change, the VPA helm chart was upgraded to the latest version, including a major bump. We recommend you to check [the VPA Helm chart changelog](https://github.com/FairwindsOps/charts/tree/master/stable/vpa#breaking-upgrading-from--v17x-to-200) to ensure a smooth upgrade. + +## *BREAKING* Upgrading from v4.x.x to v5.x.x + +The new chart version includes [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) configuration for the `networking.k8s.io/v1` Kubernetes API. + +Because of the new API version, you need to specify `dashboard.ingress.hosts[X].paths[Y].type` when installing this chart with enabled Ingress on a Kubernetes cluster version 1.19+. + +## Upgrading from v3.x.x to v4.x.x + +There are no breaking changes, but the goldilocks controller and dashboard have had some major tweaks so they can work with more workload controllers. To allow v4.0.0+ to work with more than Deployments, the main change here is in RBAC permissions so that the goldilocks service accounts can access all resources in the `apps/v1`. + +## *BREAKING* Upgrading from v2.x.x to v3.x.x + +In this change, the `installVPA` value and corresponding hooks have been removed in favor of the sub-chart. The recommended path forward is to remove the hook-installed resources and manage the VPA installation with the [Fairwinds VPA Chart](https://github.com/FairwindsOps/charts/tree/master/stable/vpa) + +We have kept the `uninstallVPA` flag in place, which will remove a vpa installation that was previously managed by this chart. This flag will be deprecated in a later release. + +## *BREAKING* Upgrading to chart v2.x.x from v1.x.x + +If using `installVPA=true` when updating from v1.x.x to v2.x.x of this chart, there are some considerations. v2.x.x of the chart started only installing the recommender and the necessary CRDs and RBAC from the VPA installation. This is due to the volatile and risky nature of running a beta mutatingadmissionwebhook in your cluster. If you have previously used the `installVPA=true` flag to install the VPA, we recommend that you completely uninstall and re-install the VPA as part of the upgrade. We have provided a new hook to do this that will run before the install hook. + +If upgrading from v1.x.x to v2.x.x we recommend upgrading like so: + +``` +helm upgrade goldilocks fairwinds-stable/goldilocks --set reinstallVPA=true +``` + +This will completely remove the VPA and then re-install it using the new method. + +{{ template "chart.valuesSection" . }} diff --git a/goldilocks-4.9/charts/metrics-server/.helmignore b/goldilocks-4.9/charts/metrics-server/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/goldilocks-4.9/charts/metrics-server/Chart.lock b/goldilocks-4.9/charts/metrics-server/Chart.lock new file mode 100644 index 0000000..c788c6f --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + version: 2.4.0 +digest: sha256:8c1a5dc923412d11d4d841420494b499cb707305c8b9f87f45ea1a8bf3172cb3 +generated: "2023-05-21T18:44:32.432002275Z" diff --git a/goldilocks-4.9/charts/metrics-server/Chart.yaml b/goldilocks-4.9/charts/metrics-server/Chart.yaml new file mode 100644 index 0000000..4289992 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + category: Analytics + licenses: Apache-2.0 +apiVersion: v2 +appVersion: 0.6.3 +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x +description: Metrics Server aggregates resource usage data, such as container CPU + and memory usage, in a Kubernetes cluster and makes it available via the Metrics + API. +home: https://bitnami.com +icon: https://bitnami.com/assets/stacks/metrics-server/img/metrics-server-stack-220x234.png +keywords: +- metrics-server +- cluster +- metrics +maintainers: +- name: VMware, Inc. + url: https://github.com/bitnami/charts +name: metrics-server +sources: +- https://github.com/bitnami/charts/tree/main/bitnami/metrics-server +version: 6.4.1 diff --git a/goldilocks-4.9/charts/metrics-server/README.md b/goldilocks-4.9/charts/metrics-server/README.md new file mode 100644 index 0000000..481ddea --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/README.md @@ -0,0 +1,266 @@ + + +# Metrics Server packaged by Bitnami + +Metrics Server aggregates resource usage data, such as container CPU and memory usage, in a Kubernetes cluster and makes it available via the Metrics API. + +[Overview of Metrics Server](https://github.com/kubernetes-incubator/metrics-server) + +Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. + +## TL;DR + +```console +helm install my-release oci://registry-1.docker.io/bitnamicharts/metrics-server +``` + +## Introduction + +This chart bootstraps a [Metrics Server](https://github.com/bitnami/containers/tree/main/bitnami/metrics-server) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release oci://registry-1.docker.io/bitnamicharts/metrics-server +``` + +These commands deploy Metrics Server on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ------------------------- | ----------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | + +### Common parameters + +| Name | Description | Value | +| ------------------------ | -------------------------------------------------------------------------------------------- | -------------- | +| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | +| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override common.names.fullname template | `""` | +| `namespaceOverride` | String to fully override common.names.namespace | `""` | +| `commonLabels` | Add labels to all the deployed resources | `{}` | +| `commonAnnotations` | Add annotations to all the deployed resources | `{}` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the the deployment(s)/statefulset(s) | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the the deployment(s)/statefulset(s) | `["infinity"]` | + +### Metrics Server parameters + +| Name | Description | Value | +| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------ | +| `image.registry` | Metrics Server image registry | `docker.io` | +| `image.repository` | Metrics Server image repository | `bitnami/metrics-server` | +| `image.tag` | Metrics Server image tag (immutable tags are recommended) | `0.6.3-debian-11-r21` | +| `image.digest` | Metrics Server image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | Metrics Server image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Metrics Server image pull secrets | `[]` | +| `hostAliases` | Add deployment host aliases | `[]` | +| `replicas` | Number of metrics-server nodes to deploy | `1` | +| `updateStrategy.type` | Set up update strategy for metrics-server installation. | `RollingUpdate` | +| `rbac.create` | Enable RBAC authentication | `true` | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to create | `""` | +| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account | `true` | +| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | +| `apiService.create` | Specifies whether the v1beta1.metrics.k8s.io API service should be created. You can check if it is needed with `kubectl get --raw "/apis/metrics.k8s.io/v1beta1/nodes"`. | `false` | +| `apiService.insecureSkipTLSVerify` | Specifies whether to skip self-verifying self-signed TLS certificates. Set to "false" if you are providing your own certificates. | `true` | +| `apiService.caBundle` | A base64-encoded string of concatenated certificates for the CA chain for the APIService. | `""` | +| `containerPorts.https` | Port where metrics-server will be running | `8443` | +| `hostNetwork` | Enable hostNetwork mode | `false` | +| `dnsPolicy` | Default dnsPolicy setting | `ClusterFirst` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `lifecycleHooks` | for the metrics-server container(s) to automate configuration before or after startup | `{}` | +| `extraEnvVars` | Array with extra environment variables to add to metrics-server nodes | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for metrics-server nodes | `""` | +| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars for metrics-server nodes | `""` | +| `extraArgs` | Extra arguments to pass to metrics-server on start up | `[]` | +| `sidecars` | Add additional sidecar containers to the metrics-server pod(s) | `[]` | +| `initContainers` | Add additional init containers to the metrics-server pod(s) | `[]` | +| `podLabels` | Pod labels | `{}` | +| `podAnnotations` | Pod annotations | `{}` | +| `priorityClassName` | Priority class for pod scheduling | `""` | +| `schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `terminationGracePeriodSeconds` | In seconds, time the given to the metrics-server pod needs to terminate gracefully | `""` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `pdb.create` | Create a PodDisruptionBudget | `false` | +| `pdb.minAvailable` | Minimum available instances | `""` | +| `pdb.maxUnavailable` | Maximum unavailable instances | `""` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `topologySpreadConstraints` | Topology spread constraints for pod | `[]` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.ports.https` | Kubernetes Service port | `443` | +| `service.nodePorts.https` | Kubernetes Service port | `""` | +| `service.clusterIP` | metrics-server service Cluster IP | `""` | +| `service.loadBalancerIP` | LoadBalancer IP if Service type is `LoadBalancer` | `""` | +| `service.loadBalancerSourceRanges` | metrics-server service Load Balancer sources | `[]` | +| `service.externalTrafficPolicy` | metrics-server service external traffic policy | `Cluster` | +| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `service.annotations` | Annotations for the Service | `{}` | +| `service.labels` | Labels for the Service | `{}` | +| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `resources.limits` | The resources limits for the container | `{}` | +| `resources.requests` | The requested resources for the container | `{}` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `0` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `customStartupProbe` | Custom liveness probe for the Web component | `{}` | +| `customLivenessProbe` | Custom Liveness probes for metrics-server | `{}` | +| `customReadinessProbe` | Custom Readiness probes metrics-server | `{}` | +| `containerSecurityContext.enabled` | Enable Container security context | `true` | +| `containerSecurityContext.readOnlyRootFilesystem` | ReadOnlyRootFilesystem for the container | `false` | +| `containerSecurityContext.runAsNonRoot` | Run containers as non-root users | `true` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `podSecurityContext.enabled` | Pod security context | `false` | +| `podSecurityContext.fsGroup` | Set %%MAIN_CONTAINER_NAME%% pod's Security Context fsGroup | `1001` | +| `extraVolumes` | Extra volumes | `[]` | +| `extraVolumeMounts` | Mount extra volume(s) | `[]` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install my-release \ + --set rbac.create=true oci://registry-1.docker.io/bitnamicharts/metrics-server +``` + +The above command enables RBAC authentication. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml oci://registry-1.docker.io/bitnamicharts/metrics-server +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling vs Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Enable RBAC security + +In order to enable Role-Based Access Control (RBAC) for Metrics Server, use the following parameter: `rbac.create=true`. + +### Configure certificates + +If you are providing your own certificates for the API Service, set `insecureSkipTLSVerify` to `"false"`, and provide a `caBundle` consisting of the base64-encoded certificate chain. + +### Set Pod affinity + +This chart allows you to set custom Pod affinity using the `affinity` parameter. Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +### To 6.0.0 + +This major release renames several values in this chart and adds missing features, in order to be aligned with the rest of the assets in the Bitnami charts repository. + +Affected values: + +- `service.port` was deprecated. We recommend using `service.ports.http` instead. +- `service.nodePort` was deprecated. We recommend using `service.nodePorts.https` instead. +- `extraArgs` is now interpreted as an array. + +### To 5.2.0 + +This version introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/main/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade. + +### To 5.0.0 + +[On November 13, 2020, Helm v2 support formally ended](https://github.com/helm/charts#status-of-the-project). This major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/metrics-server/administration/upgrade-helm3/). + +### To 4.0.0 + +Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments. +Use the workaround below to upgrade from versions previous to 4.0.0. The following example assumes that the release name is metrics-server: + +```console +kubectl delete deployment metrics-server --cascade=false +helm upgrade metrics-server oci://registry-1.docker.io/bitnamicharts/metrics-server +``` + +### To 2.0.0 + +Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments. +Use the workaround below to upgrade from versions previous to 2.0.0. The following example assumes that the release name is metrics-server: + +```console +kubectl patch deployment metrics-server --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' +``` + +## License + +Copyright © 2023 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/.helmignore b/goldilocks-4.9/charts/metrics-server/charts/common/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/Chart.yaml b/goldilocks-4.9/charts/metrics-server/charts/common/Chart.yaml new file mode 100644 index 0000000..4fc56bb --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + category: Infrastructure + licenses: Apache-2.0 +apiVersion: v2 +appVersion: 2.4.0 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://bitnami.com +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- name: VMware, Inc. + url: https://github.com/bitnami/charts +name: common +sources: +- https://github.com/bitnami/charts +type: library +version: 2.4.0 diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/README.md b/goldilocks-4.9/charts/metrics-server/charts/common/README.md new file mode 100644 index 0000000..72fca33 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/README.md @@ -0,0 +1,235 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. + +Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 1.x.x + repository: oci://registry-1.docker.io/bitnamicharts +``` + +```console +helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ + +## Parameters + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +#### What changes were introduced in this major version? + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +#### Useful links + +- +- +- + +## License + +Copyright © 2023 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/_affinities.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_affinities.tpl new file mode 100644 index 0000000..81902a6 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_affinities.tpl @@ -0,0 +1,106 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a topologyKey definition +{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}} +*/}} +{{- define "common.affinities.topologyKey" -}} +{{ .topologyKey | default "kubernetes.io/hostname" -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/_capabilities.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_capabilities.tpl new file mode 100644 index 0000000..697486a --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_capabilities.tpl @@ -0,0 +1,180 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "common.capabilities.daemonset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "common.capabilities.hpa.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Vertical Pod Autoscaler. +*/}} +{{- define "common.capabilities.vpa.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/_errors.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_errors.tpl new file mode 100644 index 0000000..a79cc2e --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_errors.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/_images.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_images.tpl new file mode 100644 index 0000000..d60c22e --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_images.tpl @@ -0,0 +1,80 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/_ingress.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_ingress.tpl new file mode 100644 index 0000000..831da9c --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_ingress.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/_labels.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_labels.tpl new file mode 100644 index 0000000..252066c --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/_names.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_names.tpl new file mode 100644 index 0000000..617a234 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_names.tpl @@ -0,0 +1,66 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a fully qualified app name adding the installation's namespace. +*/}} +{{- define "common.names.fullname.namespace" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/_secrets.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_secrets.tpl new file mode 100644 index 0000000..a1708b2 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_secrets.tpl @@ -0,0 +1,165 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + +The order in which this function returns a secret password: + 1. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 2. Password provided via the values.yaml + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 3. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key | quote }} + {{- else }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Reuses the value from an existing secret, otherwise sets its value to a default value. + +Usage: +{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - context - Context - Required - Parent context. + +*/}} +{{- define "common.secrets.lookup" -}} +{{- $value := "" -}} +{{- $defaultValue := required "\n'common.secrets.lookup': Argument 'defaultValue' missing or empty" .defaultValue -}} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else -}} + {{- $value = $defaultValue | toString | b64enc -}} +{{- end -}} +{{- printf "%s" $value -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/_storage.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_storage.tpl new file mode 100644 index 0000000..60e2a84 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/_tplvalues.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_tplvalues.tpl new file mode 100644 index 0000000..2db1668 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/_utils.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_utils.tpl new file mode 100644 index 0000000..b1ead50 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_utils.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/_warnings.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_warnings.tpl new file mode 100644 index 0000000..ae10fa4 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_cassandra.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 0000000..ded1ae3 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_mariadb.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 0000000..b6906ff --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_mongodb.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 0000000..f820ec1 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB® required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_mysql.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_mysql.tpl new file mode 100644 index 0000000..74472a0 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_mysql.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MySQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mysql.passwords" -}} + {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mysql.values.enabled" . -}} + {{- $architecture := include "common.mysql.values.architecture" . -}} + {{- $authPrefix := include "common.mysql.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mysql. + +Usage: +{{ include "common.mysql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mysql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mysql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.key.auth" -}} + {{- if .subchart -}} + mysql.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_postgresql.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 0000000..164ec0d --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_redis.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_redis.tpl new file mode 100644 index 0000000..dcccfc1 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,76 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis® required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} + + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_validations.tpl b/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_validations.tpl new file mode 100644 index 0000000..9a814cf --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/charts/common/values.yaml b/goldilocks-4.9/charts/metrics-server/charts/common/values.yaml new file mode 100644 index 0000000..f2df68e --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/charts/common/values.yaml @@ -0,0 +1,5 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/goldilocks-4.9/charts/metrics-server/templates/NOTES.txt b/goldilocks-4.9/charts/metrics-server/templates/NOTES.txt new file mode 100644 index 0000000..3a03795 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/templates/NOTES.txt @@ -0,0 +1,55 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +** Please be patient while the chart is being deployed ** + +The metric server has been deployed. + +{{- if or .Values.apiService.create (.Capabilities.APIVersions.Has "metrics.k8s.io/v1beta1") }} +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ template "common.names.namespace" . }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ template "common.names.namespace" . }} -ti -- bash + +In order to replicate the container startup scripts execute this command: + + metrics-server --secure-port={{ .Values.containerPorts.https }} + +{{- else }} +In a few minutes you should be able to list metrics using the following +command: + + kubectl get --raw "/apis/metrics.k8s.io/v1beta1/nodes" +{{- end -}} +{{- else }} +################################################################################### +### ERROR: The metrics.k8s.io/v1beta1 API service is not enabled in the cluster ### +################################################################################### +You have disabled the API service creation for this release. As the Kubernetes version in the cluster +does not have metrics.k8s.io/v1beta1, the metrics API will not work with this release unless: + +Option A: + + You complete your metrics-server release by running: + + helm upgrade --namespace {{ include "common.names.namespace" . }} {{ .Release.Name }} oci://registry-1.docker.io/bitnamicharts/metrics-server \ + --set apiService.create=true + +Option B: + + You configure the metrics API service outside of this Helm chart +{{- end -}} + +{{- include "metrics-server.validateValues" . }} +{{- include "metrics-server.checkRollingTags" . }} + diff --git a/goldilocks-4.9/charts/metrics-server/templates/_helpers.tpl b/goldilocks-4.9/charts/metrics-server/templates/_helpers.tpl new file mode 100644 index 0000000..d7c8e04 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/templates/_helpers.tpl @@ -0,0 +1,56 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "metrics-server.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return the proper metrics-server image name +*/}} +{{- define "metrics-server.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "metrics-server.imagePullSecrets" -}} +{{- include "common.images.pullSecrets" (dict "images" (list .Values.image ) "global" .Values.global) -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "metrics-server.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "metrics-server.validateValues.extraVolumes" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* Validate values of metrics-server - Incorrect extra volume settings */}} +{{- define "metrics-server.validateValues.extraVolumes" -}} +{{- if and (.Values.extraVolumes) (not .Values.extraVolumeMounts) -}} +metrics-server: missing-extra-volume-mounts + You specified extra volumes but not mount points for them. Please set + the extraVolumeMounts value +{{- end -}} +{{- end -}} + +{{/* +Check if there are rolling tags in the images +*/}} +{{- define "metrics-server.checkRollingTags" -}} +{{- include "common.warnings.rollingTag" .Values.image }} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/templates/auth-delegator-crb.yaml b/goldilocks-4.9/charts/metrics-server/templates/auth-delegator-crb.yaml new file mode 100644 index 0000000..e141144 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/templates/auth-delegator-crb.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create -}} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + name: {{ printf "%s-auth-delegator" (include "common.names.fullname.namespace" .) }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: {{ template "metrics-server.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/templates/cluster-role.yaml b/goldilocks-4.9/charts/metrics-server/templates/cluster-role.yaml new file mode 100644 index 0000000..e1e02ac --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/templates/cluster-role.yaml @@ -0,0 +1,56 @@ +{{- if .Values.rbac.create -}} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: ClusterRole +metadata: + name: {{ template "common.names.fullname.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - pods + - nodes + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes/metrics + verbs: + - get + - create +--- +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: ClusterRole +metadata: + name: {{ printf "%s-view" (include "common.names.fullname.namespace" .) }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + verbs: + - get + - list + - watch +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/templates/deployment.yaml b/goldilocks-4.9/charts/metrics-server/templates/deployment.yaml new file mode 100644 index 0000000..6c602c0 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/templates/deployment.yaml @@ -0,0 +1,154 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + {{- if .Values.updateStrategy }} + strategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $) | nindent 4 }} + {{- end }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + {{- if .Values.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.podLabels "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.podAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + spec: + {{- include "metrics-server.imagePullSecrets" . | nindent 6 }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + serviceAccountName: {{ template "metrics-server.serviceAccountName" . }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName | quote }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.hostNetwork }} + hostNetwork: true + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.initContainers }} + initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: metrics-server + image: {{ template "metrics-server.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- else }} + command: + - metrics-server + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- else }} + args: + - --secure-port={{ .Values.containerPorts.https }} + {{- if .Values.extraArgs }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraArgs "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + ports: + - name: https + containerPort: {{ .Values.containerPorts.https }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: /livez + port: https + scheme: HTTPS + {{- end }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: /readyz + port: https + scheme: HTTPS + {{- end }} + {{- if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: https + {{- end }} + {{- end }} + {{- if .Values.extraVolumeMounts }} + volumeMounts: {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.extraVolumes }} + volumes: {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} diff --git a/goldilocks-4.9/charts/metrics-server/templates/extra-list.yaml b/goldilocks-4.9/charts/metrics-server/templates/extra-list.yaml new file mode 100644 index 0000000..9ac65f9 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/goldilocks-4.9/charts/metrics-server/templates/metrics-api-service.yaml b/goldilocks-4.9/charts/metrics-server/templates/metrics-api-service.yaml new file mode 100644 index 0000000..3021a16 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/templates/metrics-api-service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.apiService.create -}} +apiVersion: {{ include "common.capabilities.apiService.apiVersion" . }} +kind: APIService +metadata: + name: v1beta1.metrics.k8s.io + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + service: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + group: metrics.k8s.io + version: v1beta1 + insecureSkipTLSVerify: {{ .Values.apiService.insecureSkipTLSVerify | default true }} + {{- if .Values.apiService.caBundle }} + caBundle: {{ .Values.apiService.caBundle }} + {{- end }} + groupPriorityMinimum: 100 + versionPriority: 100 +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/templates/metrics-server-crb.yaml b/goldilocks-4.9/charts/metrics-server/templates/metrics-server-crb.yaml new file mode 100644 index 0000000..20c3675 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/templates/metrics-server-crb.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create -}} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + name: {{ template "common.names.fullname.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "common.names.fullname.namespace" . }} +subjects: + - kind: ServiceAccount + name: {{ template "metrics-server.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/templates/pdb.yaml b/goldilocks-4.9/charts/metrics-server/templates/pdb.yaml new file mode 100644 index 0000000..17f174c --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/templates/pdb.yaml @@ -0,0 +1,23 @@ +{{- if .Values.pdb.create -}} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/templates/role-binding.yaml b/goldilocks-4.9/charts/metrics-server/templates/role-binding.yaml new file mode 100644 index 0000000..e34cb18 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/templates/role-binding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create -}} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ printf "%s-auth-reader" (include "common.names.fullname.namespace" .) }} + namespace: kube-system + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: {{ template "metrics-server.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/templates/serviceaccount.yaml b/goldilocks-4.9/charts/metrics-server/templates/serviceaccount.yaml new file mode 100644 index 0000000..b2c0c09 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/templates/serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "metrics-server.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.serviceAccount.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.serviceAccount.annotations "context" $) | nindent 4 }} + {{- end }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} diff --git a/goldilocks-4.9/charts/metrics-server/templates/svc.yaml b/goldilocks-4.9/charts/metrics-server/templates/svc.yaml new file mode 100644 index 0000000..74a7c0f --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/templates/svc.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.service.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.service.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.annotations "context" $) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + ports: + - name: https + port: {{ .Values.service.ports.https }} + protocol: TCP + targetPort: https + {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.https)) }} + nodePort: {{ .Values.service.nodePorts.https }} + {{- else if eq .Values.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} diff --git a/goldilocks-4.9/charts/metrics-server/values.yaml b/goldilocks-4.9/charts/metrics-server/values.yaml new file mode 100644 index 0000000..8a1c567 --- /dev/null +++ b/goldilocks-4.9/charts/metrics-server/values.yaml @@ -0,0 +1,446 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + +## @section Common parameters + +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname template +## +fullnameOverride: "" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" +## @param commonLabels Add labels to all the deployed resources +## +commonLabels: {} +## @param commonAnnotations Add annotations to all the deployed resources +## +commonAnnotations: {} +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] +## Enable diagnostic mode in the deployment(s)/statefulset(s) +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the the deployment(s)/statefulset(s) + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the the deployment(s)/statefulset(s) + ## + args: + - infinity + +## @section Metrics Server parameters + +## Bitnami Metrics Server image version +## ref: https://hub.docker.com/r/bitnami/metrics-server/tags/ +## @param image.registry Metrics Server image registry +## @param image.repository Metrics Server image repository +## @param image.tag Metrics Server image tag (immutable tags are recommended) +## @param image.digest Metrics Server image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy Metrics Server image pull policy +## @param image.pullSecrets Metrics Server image pull secrets +## +image: + registry: docker.io + repository: bitnami/metrics-server + tag: 0.6.3-debian-11-r21 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + +## @param hostAliases Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param replicas Number of metrics-server nodes to deploy +## +replicas: 1 +## @param updateStrategy.type Set up update strategy for metrics-server installation. +## Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods is destroyed first. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## Example: +## updateStrategy: +## type: RollingUpdate +## rollingUpdate: +## maxSurge: 25% +## maxUnavailable: 25% +## +updateStrategy: + type: RollingUpdate +## Role Based Access +## ref: https://kubernetes.io/docs/admin/authorization/rbac/ +## +rbac: + ## @param rbac.create Enable RBAC authentication + ## + create: true +## Pods Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param serviceAccount.name The name of the ServiceAccount to create + ## If not set and create is true, a name is generated using the common.names.fullname template + name: "" + ## @param serviceAccount.automountServiceAccountToken Automount API credentials for a service account + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server + ## + automountServiceAccountToken: true + ## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## + annotations: {} +## API service parameters +## +apiService: + ## @param apiService.create Specifies whether the v1beta1.metrics.k8s.io API service should be created. You can check if it is needed with `kubectl get --raw "/apis/metrics.k8s.io/v1beta1/nodes"`. + ## This is still necessary up to at least k8s version >= 1.21, but depends on vendors and cloud providers. + ## + create: false + ## @param apiService.insecureSkipTLSVerify Specifies whether to skip self-verifying self-signed TLS certificates. Set to "false" if you are providing your own certificates. + ## Note that "false" MUST be in quotation marks (cf. https://github.com/helm/helm/issues/3308), since false without quotation marks will render to true + insecureSkipTLSVerify: true + ## @param apiService.caBundle A base64-encoded string of concatenated certificates for the CA chain for the APIService. + caBundle: "" +## @param containerPorts.https Port where metrics-server will be running +## +containerPorts: + https: 8443 +## @param hostNetwork Enable hostNetwork mode +## You would require this enabled if you use alternate overlay networking for pods and +## API server unable to communicate with metrics-server. As an example, this is required +## if you use Weave network on EKS +## +hostNetwork: false +## @param dnsPolicy Default dnsPolicy setting +## If you enable hostNetwork then you may need to set your dnsPolicy to something other +## than "ClusterFirst" depending on your requirements. +dnsPolicy: "ClusterFirst" +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param lifecycleHooks for the metrics-server container(s) to automate configuration before or after startup +## +lifecycleHooks: {} +## @param extraEnvVars Array with extra environment variables to add to metrics-server nodes +## e.g: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars for metrics-server nodes +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Name of existing Secret containing extra env vars for metrics-server nodes +## +extraEnvVarsSecret: "" +## @param extraArgs Extra arguments to pass to metrics-server on start up +## ref: https://github.com/kubernetes-incubator/metrics-server#flags +## +## extraArgs: +## - --kubelet-insecure-tls=true +## - --kubelet-preferred-address-types=InternalIP +## +extraArgs: [] +## @param sidecars Add additional sidecar containers to the metrics-server pod(s) +## e.g: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: [] +## @param initContainers Add additional init containers to the metrics-server pod(s) +## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ +## e.g: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## command: ['sh', '-c', 'echo "hello world"'] +## +initContainers: [] +## @param podLabels Pod labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations Pod annotations +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param priorityClassName Priority class for pod scheduling +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param terminationGracePeriodSeconds In seconds, time the given to the metrics-server pod needs to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +terminationGracePeriodSeconds: "" +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Pod disruption budget +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets +## @param pdb.create Create a PodDisruptionBudget +## @param pdb.minAvailable Minimum available instances +## @param pdb.maxUnavailable Maximum unavailable instances +## +pdb: + create: false + minAvailable: "" + maxUnavailable: "" +## Node affinity preset +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity Affinity for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param topologySpreadConstraints Topology spread constraints for pod +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints +## +topologySpreadConstraints: [] +## @param nodeSelector Node labels for pod assignment +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## @param tolerations Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## Metrics Server K8s svc properties +## +service: + ## @param service.type Kubernetes Service type + ## + type: ClusterIP + ## @param service.ports.https Kubernetes Service port + ## + ports: + https: 443 + ## @param service.nodePorts.https Kubernetes Service port + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## e.g: + ## nodePort: 30001 + ## + nodePorts: + https: "" + ## @param service.clusterIP metrics-server service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.loadBalancerIP LoadBalancer IP if Service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges metrics-server service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy metrics-server service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param service.annotations Annotations for the Service + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + ## @param service.labels Labels for the Service + ## have metrics-server show up in `kubectl cluster-info` + ## kubernetes.io/cluster-service: "true" + ## kubernetes.io/name: "Metrics-server" + ## + labels: {} + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} +## Metric Server containers' resource requests and limits +## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resources.limits The resources limits for the container +## @param resources.requests The requested resources for the container +## +resources: + ## Example: + ## limits: + ## cpu: 250m + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 250m + ## memory: 256Mi + requests: {} +## Configure extra options for metrics-server containers' liveness, readiness and startup probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +startupProbe: + enabled: false + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 +## @param customStartupProbe Custom liveness probe for the Web component +## +customStartupProbe: {} +## @param customLivenessProbe Custom Liveness probes for metrics-server +## +customLivenessProbe: {} +## @param customReadinessProbe Custom Readiness probes metrics-server +## +customReadinessProbe: {} +## Container security context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enable Container security context +## @param containerSecurityContext.readOnlyRootFilesystem ReadOnlyRootFilesystem for the container +## @param containerSecurityContext.runAsNonRoot Run containers as non-root users +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## +containerSecurityContext: + enabled: true + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 1001 +## Pod security context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Pod security context +## @param podSecurityContext.fsGroup Set %%MAIN_CONTAINER_NAME%% pod's Security Context fsGroup +## +podSecurityContext: + enabled: false + fsGroup: 1001 +## Extra volumes to mount +## @param extraVolumes Extra volumes +## @param extraVolumeMounts Mount extra volume(s) +## Example Use Case: mount an `emptyDir` to allow running with a `readOnlyRootFilesystem: true` +## extraVolumes: +## - name: tmpdir +## emptyDir: {} +## +extraVolumes: [] +## extraVolumeMounts: +## - name: tmpdir +## mountPath: /tmp +## +extraVolumeMounts: [] diff --git a/goldilocks-4.9/charts/vpa/.helmignore b/goldilocks-4.9/charts/vpa/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/goldilocks-4.9/charts/vpa/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/goldilocks-4.9/charts/vpa/Chart.lock b/goldilocks-4.9/charts/vpa/Chart.lock new file mode 100644 index 0000000..c9f8f62 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: metrics-server + repository: https://kubernetes-sigs.github.io/metrics-server/ + version: 3.10.0 +digest: sha256:0a1ceadffa31a28b452eddff98027bcc4df9894d22f2e74ccbfa1828477db27c +generated: "2023-06-05T09:00:56.207403385+02:00" diff --git a/goldilocks-4.9/charts/vpa/Chart.yaml b/goldilocks-4.9/charts/vpa/Chart.yaml new file mode 100644 index 0000000..4dbf937 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: 0.13.0 +dependencies: +- alias: metrics-server + condition: metrics-server.enabled + name: metrics-server + repository: https://kubernetes-sigs.github.io/metrics-server/ + version: 3.10.0 +description: A Helm chart for Kubernetes Vertical Pod Autoscaler +home: https://github.com/FairwindsOps/charts/tree/master/stable/vpa +kubeVersion: '>= 1.21.0-0' +maintainers: +- name: sudermanjr +name: vpa +sources: +- https://github.com/FairwindsOps/charts/tree/master/stable/vpa +- https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler +type: application +version: 2.2.0 diff --git a/goldilocks-4.9/charts/vpa/README.md b/goldilocks-4.9/charts/vpa/README.md new file mode 100644 index 0000000..3d196b3 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/README.md @@ -0,0 +1,190 @@ +# VPA + +A chart to install the [Kubernetes Vertical Pod Autoscaler](https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler) + +This chart is mostly based on the manifests and various scripts in the `deploy` and `hack` directories of the VPA repository. + +## Tests and Debugging + +There are a few tests included with this chart that can help debug why your installation of VPA isn't working as expected. You can run `helm test -n ` to run them. + +* `crds-available` - Checks for both the _verticalpodautoscalers_ and _verticalpodautoscalercheckpoints_ CRDs +* `metrics-api-available` - Checks to make sure that the metrics API endpoint is available. If it's not, install [metrics-server](https://github.com/kubernetes-sigs/metrics-server) in your cluster. +* `create-vpa` - A simple check to make sure that VPA objects can be created in your cluster. Does not check for functionality of that VPA. ++ `webhook-configuration` - Checks that both the service and the CA bundle in the MutatingWebhookconfiguration are configured correctly. + +## Components + +There are three primary components to the Vertical Pod Autoscaler that can be enabled individually here. + +* recommender +* updater +* admissionController + +The admissionController is the only one that poses a stability consideration because it will create a `MutatingWebhookconfiguration` in your cluster. This _could_ cause the cluster to stop accepting pod creation requests, if it is not configured correctly. Because of this, the `MutatingWebhookconfiguration` has its `failurePolicy` set to `Ignore` by default. + +For more details, please see the values below, and the vertical pod autosclaer documentation. + +## *BREAKING* Upgrading from <= v1.7.x to 2.0.0 + +### Certificate generation + +The certificate creation process was changed from using OpenSSL to [kube-webhook-certgen](https://github.com/kubernetes/ingress-nginx/tree/main/images/kube-webhook-certgen) to simplify the process. +It still uses the same configuration keys (.Values.admissionController.certGen), which makes it impossible to reuse the values from a previous install. + +You can mitigate this change by setting the correct image for the upgrade: + +```bash +helm upgrade fairwinds-stable/vpa --version 2.0.0 --reuse-values \ + --set "admissionController.certGen.image.repository=registry.k8s.io/ingress-nginx/kube-webhook-certgen" \ + --set "admissionController.certGen.image.tag=v20230312-helm-chart-4.5.2-28-g66a760794" +``` + +The new process is incompatible with the old secrets layout. To mitigate this, the secret was renamed to (by default) `-tls-certs` and can now also be customized. + +All other changes are implemented in a non breaking fashion. + +### MutatingWebhookconfiguration + +Previously, the webhook creation was handled by the admission controller itself. This had the downside that Helm is not in control of the resource and therefore required the cleanupOnDelete job. + +This version disables the *selfRegistration* by the admission controller and creates the MutatingWebhookconfiguration using Helm. + +You can either: + +* Migrate the MutatingWebhookconfiguration by: + * adding the label `app.kubernetes.io/managed-by: Helm` + * adding the annotation `meta.helm.sh/release-name: ` + * adding the annotation `meta.helm.sh/release-namespace: ` + +* delete the configuration and it will be recreated by Helm +* or keep the configuration as it is and Helm will ignore it. Execute the tests, to make sure everything works. + +Also, the `cleanupOnDelete` configuration is obsolete. + +### Admission controller + +The admission controller is enabled by default. + +## *BREAKING* Upgrading from v0.x.x to v1.x.x + +In the previous version, when the admissionController.cleanupOnDelete flag was set to true, MutatingWebhookconfiguration and the tls secret for the admission controller were removed. There was no chance to pass any image information to start remove process. Now, it could be passed custom image by version 1.0.0. + +```yaml +cleanupOnDelete: + enabled: true + image: + repository: quay.io/reactiveops/ci-images + tag: v11-alpine + +``` + +## Installation + +```bash +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install vpa fairwinds-stable/vpa --namespace vpa --create-namespace +``` + +## Utilize Prometheus for History + +In order to utilize prometheus for recommender history, you will need to pass some extra flags to the recommender. If you use prometheus operator installed in the `prometheus-operator` namespace, these values will do the trick. + +```yaml +recommender: + extraArgs: + prometheus-address: | + http://prometheus-operator-prometheus.prometheus-operator.svc.cluster.local:9090 + storage: prometheus +``` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| imagePullSecrets | list | `[]` | A list of image pull secrets to be used for all pods | +| priorityClassName | string | `""` | To set the priorityclass for all pods | +| nameOverride | string | `""` | A template override for the name | +| fullnameOverride | string | `""` | A template override for the fullname | +| podLabels | object | `{}` | Labels to add to all pods | +| rbac.create | bool | `true` | If true, then rbac resources (clusterroles and clusterrolebindings) will be created for the selected components. Temporary rbac resources will still be created, to ensure a functioning installation process | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created for each component | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service accounts for each component | +| serviceAccount.name | string | `""` | The base name of the service account to use (appended with the component). If not set and create is true, a name is generated using the fullname template and appended for each component | +| serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | +| recommender.enabled | bool | `true` | If true, the vpa recommender component will be installed. | +| recommender.extraArgs | object | `{"pod-recommendation-min-cpu-millicores":15,"pod-recommendation-min-memory-mb":100,"v":"4"}` | A set of key-value flags to be passed to the recommender | +| recommender.replicaCount | int | `1` | | +| recommender.podDisruptionBudget | object | `{}` | This is the setting for the pod disruption budget | +| recommender.image.repository | string | `"registry.k8s.io/autoscaling/vpa-recommender"` | The location of the recommender image | +| recommender.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | +| recommender.image.pullPolicy | string | `"Always"` | The pull policy for the recommender image. Recommend not changing this | +| recommender.podAnnotations | object | `{}` | Annotations to add to the recommender pod | +| recommender.podLabels | object | `{}` | Labels to add to the recommender pod | +| recommender.podSecurityContext | object | `{"runAsNonRoot":true,"runAsUser":65534}` | The security context for the recommender pod | +| recommender.securityContext | object | `{}` | The security context for the containers inside the recommender pod | +| recommender.livenessProbe | object | `{"failureThreshold":6,"httpGet":{"path":"/health-check","port":"metrics","scheme":"HTTP"},"periodSeconds":5,"successThreshold":1,"timeoutSeconds":3}` | The liveness probe definition inside the recommender pod | +| recommender.readinessProbe | object | `{"failureThreshold":120,"httpGet":{"path":"/health-check","port":"metrics","scheme":"HTTP"},"periodSeconds":5,"successThreshold":1,"timeoutSeconds":3}` | The readiness probe definition inside the recommender pod | +| recommender.resources | object | `{"limits":{"cpu":"200m","memory":"1000Mi"},"requests":{"cpu":"50m","memory":"500Mi"}}` | The resources block for the recommender pod | +| recommender.nodeSelector | object | `{}` | | +| recommender.tolerations | list | `[]` | | +| recommender.affinity | object | `{}` | | +| recommender.podMonitor | object | `{"annotations":{},"enabled":false,"labels":{}}` | Enables a prometheus operator podMonitor for the recommender | +| updater.enabled | bool | `true` | If true, the updater component will be deployed | +| updater.extraArgs | object | `{}` | A key-value map of flags to pass to the updater | +| updater.replicaCount | int | `1` | | +| updater.podDisruptionBudget | object | `{}` | This is the setting for the pod disruption budget | +| updater.image.repository | string | `"registry.k8s.io/autoscaling/vpa-updater"` | The location of the updater image | +| updater.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | +| updater.image.pullPolicy | string | `"Always"` | The pull policy for the updater image. Recommend not changing this | +| updater.podAnnotations | object | `{}` | Annotations to add to the updater pod | +| updater.podLabels | object | `{}` | Labels to add to the updater pod | +| updater.podSecurityContext | object | `{"runAsNonRoot":true,"runAsUser":65534}` | The security context for the updater pod | +| updater.securityContext | object | `{}` | The security context for the containers inside the updater pod | +| updater.livenessProbe | object | `{"failureThreshold":6,"httpGet":{"path":"/health-check","port":"metrics","scheme":"HTTP"},"periodSeconds":5,"successThreshold":1,"timeoutSeconds":3}` | The liveness probe definition inside the updater pod | +| updater.readinessProbe | object | `{"failureThreshold":120,"httpGet":{"path":"/health-check","port":"metrics","scheme":"HTTP"},"periodSeconds":5,"successThreshold":1,"timeoutSeconds":3}` | The readiness probe definition inside the updater pod | +| updater.resources | object | `{"limits":{"cpu":"200m","memory":"1000Mi"},"requests":{"cpu":"50m","memory":"500Mi"}}` | The resources block for the updater pod | +| updater.nodeSelector | object | `{}` | | +| updater.tolerations | list | `[]` | | +| updater.affinity | object | `{}` | | +| updater.podMonitor | object | `{"annotations":{},"enabled":false,"labels":{}}` | Enables a prometheus operator podMonitor for the updater | +| admissionController.enabled | bool | `true` | If true, will install the admission-controller component of vpa | +| admissionController.extraArgs | object | `{}` | A key-value map of flags to pass to the admissionController | +| admissionController.generateCertificate | bool | `true` | If true and admissionController is enabled, a pre-install hook will run to create the certificate for the webhook | +| admissionController.secretName | string | `"{{ include \"vpa.fullname\" . }}-tls-secret"` | Name for the TLS secret created for the webhook. Default {{ .Release.Name }}-tls-secret | +| admissionController.certGen.image.repository | string | `"registry.k8s.io/ingress-nginx/kube-webhook-certgen"` | An image that contains certgen for creating certificates. Only used if admissionController.generateCertificate is true | +| admissionController.certGen.image.tag | string | `"v20230312-helm-chart-4.5.2-28-g66a760794"` | An image tag for the admissionController.certGen.image.repository image. Only used if admissionController.generateCertificate is true | +| admissionController.certGen.image.pullPolicy | string | `"Always"` | The pull policy for the certgen image. Recommend not changing this | +| admissionController.certGen.env | object | `{}` | Additional environment variables to be added to the certgen container. Format is KEY: Value format | +| admissionController.certGen.resources | object | `{}` | The resources block for the certgen pod | +| admissionController.certGen.securityContext | object | `{}` | The securityContext block for the certgen pod | +| admissionController.certGen.nodeSelector | object | `{}` | | +| admissionController.certGen.tolerations | list | `[]` | | +| admissionController.certGen.affinity | object | `{}` | | +| admissionController.mutatingWebhookConfiguration.annotations | object | `{}` | Additional annotations for the MutatingWebhookConfiguration. Can be used for integration with cert-manager | +| admissionController.mutatingWebhookConfiguration.failurePolicy | string | `"Ignore"` | The failurePolicy for the mutating webhook. Allowed values are: Ignore, Fail | +| admissionController.mutatingWebhookConfiguration.namespaceSelector | object | `{}` | The namespaceSelector controls, which namespaces are affected by the webhook | +| admissionController.mutatingWebhookConfiguration.objectSelector | object | `{}` | The objectSelector can filter object on e.g. labels | +| admissionController.mutatingWebhookConfiguration.timeoutSeconds | int | `30` | | +| admissionController.replicaCount | int | `1` | | +| admissionController.podDisruptionBudget | object | `{}` | This is the setting for the pod disruption budget | +| admissionController.image.repository | string | `"registry.k8s.io/autoscaling/vpa-admission-controller"` | The location of the vpa admission controller image | +| admissionController.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | +| admissionController.image.pullPolicy | string | `"Always"` | The pull policy for the admission controller image. Recommend not changing this | +| admissionController.podAnnotations | object | `{}` | Annotations to add to the admission controller pod | +| admissionController.podLabels | object | `{}` | Labels to add to the admission controller pod | +| admissionController.podSecurityContext | object | `{"runAsNonRoot":true,"runAsUser":65534}` | The security context for the admission controller pod | +| admissionController.securityContext | object | `{}` | The security context for the containers inside the admission controller pod | +| admissionController.livenessProbe | object | `{"failureThreshold":6,"httpGet":{"path":"/health-check","port":"metrics","scheme":"HTTP"},"periodSeconds":5,"successThreshold":1,"timeoutSeconds":3}` | The liveness probe definition inside the admission controller pod | +| admissionController.readinessProbe | object | `{"failureThreshold":120,"httpGet":{"path":"/health-check","port":"metrics","scheme":"HTTP"},"periodSeconds":5,"successThreshold":1,"timeoutSeconds":3}` | The readiness probe definition inside the admission controller pod | +| admissionController.resources | object | `{"limits":{"cpu":"200m","memory":"500Mi"},"requests":{"cpu":"50m","memory":"200Mi"}}` | The resources block for the admission controller pod | +| admissionController.tlsSecretKeys | list | `[]` | The keys in the vpa-tls-certs secret to map in to the admission controller | +| admissionController.nodeSelector | object | `{}` | | +| admissionController.tolerations | list | `[]` | | +| admissionController.affinity | object | `{}` | | +| tests.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":10324}` | The security context for the containers run as helm hook tests | +| tests.image.repository | string | `"bitnami/kubectl"` | An image used for testing containing bash, cat and kubectl | +| tests.image.tag | string | `""` | An image tag for the tests image | +| tests.image.pullPolicy | string | `"Always"` | The pull policy for the tests image. | +| metrics-server | object | `{"enabled":false}` | configuration options for the [metrics server Helm chart](https://github.com/kubernetes-sigs/metrics-server/tree/master/charts/metrics-server). See the projects [README.md](https://github.com/kubernetes-sigs/metrics-server/tree/master/charts/metrics-server#configuration) for all available options | +| metrics-server.enabled | bool | `false` | Whether or not the metrics server Helm chart should be installed | diff --git a/goldilocks-4.9/charts/vpa/README.md.gotmpl b/goldilocks-4.9/charts/vpa/README.md.gotmpl new file mode 100644 index 0000000..58e6bbe --- /dev/null +++ b/goldilocks-4.9/charts/vpa/README.md.gotmpl @@ -0,0 +1,101 @@ +# VPA + +A chart to install the [Kubernetes Vertical Pod Autoscaler](https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler) + +This chart is mostly based on the manifests and various scripts in the `deploy` and `hack` directories of the VPA repository. + +## Tests and Debugging + +There are a few tests included with this chart that can help debug why your installation of VPA isn't working as expected. You can run `helm test -n ` to run them. + +* `crds-available` - Checks for both the _verticalpodautoscalers_ and _verticalpodautoscalercheckpoints_ CRDs +* `metrics-api-available` - Checks to make sure that the metrics API endpoint is available. If it's not, install [metrics-server](https://github.com/kubernetes-sigs/metrics-server) in your cluster. +* `create-vpa` - A simple check to make sure that VPA objects can be created in your cluster. Does not check for functionality of that VPA. ++ `webhook-configuration` - Checks that both the service and the CA bundle in the MutatingWebhookconfiguration are configured correctly. + +## Components + +There are three primary components to the Vertical Pod Autoscaler that can be enabled individually here. + +* recommender +* updater +* admissionController + +The admissionController is the only one that poses a stability consideration because it will create a `MutatingWebhookconfiguration` in your cluster. This _could_ cause the cluster to stop accepting pod creation requests, if it is not configured correctly. Because of this, the `MutatingWebhookconfiguration` has its `failurePolicy` set to `Ignore` by default. + +For more details, please see the values below, and the vertical pod autosclaer documentation. + +## *BREAKING* Upgrading from <= v1.7.x to 2.0.0 + +### Certificate generation + +The certificate creation process was changed from using OpenSSL to [kube-webhook-certgen](https://github.com/kubernetes/ingress-nginx/tree/main/images/kube-webhook-certgen) to simplify the process. +It still uses the same configuration keys (.Values.admissionController.certGen), which makes it impossible to reuse the values from a previous install. + +You can mitigate this change by setting the correct image for the upgrade: + +```bash +helm upgrade fairwinds-stable/vpa --version 2.0.0 --reuse-values \ + --set "admissionController.certGen.image.repository=registry.k8s.io/ingress-nginx/kube-webhook-certgen" \ + --set "admissionController.certGen.image.tag=v20230312-helm-chart-4.5.2-28-g66a760794" +``` + +The new process is incompatible with the old secrets layout. To mitigate this, the secret was renamed to (by default) `-tls-certs` and can now also be customized. + +All other changes are implemented in a non breaking fashion. + +### MutatingWebhookconfiguration + +Previously, the webhook creation was handled by the admission controller itself. This had the downside that Helm is not in control of the resource and therefore required the cleanupOnDelete job. + +This version disables the *selfRegistration* by the admission controller and creates the MutatingWebhookconfiguration using Helm. + +You can either: + +* Migrate the MutatingWebhookconfiguration by: + * adding the label `app.kubernetes.io/managed-by: Helm` + * adding the annotation `meta.helm.sh/release-name: ` + * adding the annotation `meta.helm.sh/release-namespace: ` + +* delete the configuration and it will be recreated by Helm +* or keep the configuration as it is and Helm will ignore it. Execute the tests, to make sure everything works. + +Also, the `cleanupOnDelete` configuration is obsolete. + +### Admission controller + +The admission controller is enabled by default. + +## *BREAKING* Upgrading from v0.x.x to v1.x.x + +In the previous version, when the admissionController.cleanupOnDelete flag was set to true, MutatingWebhookconfiguration and the tls secret for the admission controller were removed. There was no chance to pass any image information to start remove process. Now, it could be passed custom image by version 1.0.0. + +```yaml +cleanupOnDelete: + enabled: true + image: + repository: quay.io/reactiveops/ci-images + tag: v11-alpine + +``` + +## Installation + +```bash +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install vpa fairwinds-stable/vpa --namespace vpa --create-namespace +``` + +## Utilize Prometheus for History + +In order to utilize prometheus for recommender history, you will need to pass some extra flags to the recommender. If you use prometheus operator installed in the `prometheus-operator` namespace, these values will do the trick. + +```yaml +recommender: + extraArgs: + prometheus-address: | + http://prometheus-operator-prometheus.prometheus-operator.svc.cluster.local:9090 + storage: prometheus +``` + +{{ template "chart.valuesSection" . }} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/.helmignore b/goldilocks-4.9/charts/vpa/charts/metrics-server/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/Chart.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/Chart.yaml new file mode 100644 index 0000000..037f690 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/Chart.yaml @@ -0,0 +1,32 @@ +annotations: + artifacthub.io/changes: | + - kind: fixed + description: "Fixed auth-reader role binding namespace to always use kube-system." + - kind: fixed + description: "Fixed addon resizer configuration." + - kind: added + description: "Added support for running under PodSecurity restricted." + - kind: fixed + description: "Fixed container port default not having been updated to 10250." +apiVersion: v2 +appVersion: 0.6.3 +description: Metrics Server is a scalable, efficient source of container resource + metrics for Kubernetes built-in autoscaling pipelines. +home: https://github.com/kubernetes-sigs/metrics-server +icon: https://avatars.githubusercontent.com/u/36015203?s=400&v=4 +keywords: +- kubernetes +- metrics-server +- metrics +maintainers: +- name: stevehipwell + url: https://github.com/stevehipwell +- name: krmichel + url: https://github.com/krmichel +- name: endrec + url: https://github.com/endrec +name: metrics-server +sources: +- https://github.com/kubernetes-sigs/metrics-server +type: application +version: 3.10.0 diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/README.md b/goldilocks-4.9/charts/vpa/charts/metrics-server/README.md new file mode 100644 index 0000000..a10cbae --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/README.md @@ -0,0 +1,90 @@ +# Kubernetes Metrics Server + +[Metrics Server](https://github.com/kubernetes-sigs/metrics-server/) is a scalable, efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines. + + + +## Installing the Chart + +Before you can install the chart you will need to add the `metrics-server` repo to [Helm](https://helm.sh/). + +```shell +helm repo add metrics-server https://kubernetes-sigs.github.io/metrics-server/ +``` + +After you've installed the repo you can install the chart. + +```shell +helm upgrade --install metrics-server metrics-server/metrics-server +``` + +## Configuration + +The following table lists the configurable parameters of the _Metrics Server_ chart and their default values. + +| Parameter | Description | Default | +| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | +| `image.repository` | Image repository. | `registry.k8s.io/metrics-server/metrics-server` | +| `image.tag` | Image tag, will override the default tag derived from the chart app version. | `""` | +| `image.pullPolicy` | Image pull policy. | `IfNotPresent` | +| `imagePullSecrets` | Image pull secrets. | `[]` | +| `nameOverride` | Override the `name` of the chart. | `nil` | +| `fullnameOverride` | Override the `fullname` of the chart. | `nil` | +| `serviceAccount.create` | If `true`, create a new service account. | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account. | `{}` | +| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the full name template. | `nil` | +| `serviceAccount.secrets` | The list of secrets mountable by this service account. See https://kubernetes.io/docs/reference/labels-annotations-taints/#enforce-mountable-secrets | `[]` | +| `rbac.create` | If `true`, create the RBAC resources. | `true` | +| `rbac.pspEnabled` | If `true`, create a pod security policy resource. | `false` | +| `apiService.create` | If `true`, create the `v1beta1.metrics.k8s.io` API service. You typically want this enabled! If you disable API service creation you have to manage it outside of this chart for e.g horizontal pod autoscaling to work with this release. | `true` | +| `apiService.annotations` | Annotations to add to the API service | `{}` | +| `apiService.insecureSkipTLSVerify` | Specifies whether to skip TLS verification | `true` | +| `apiService.caBundle` | The PEM encoded CA bundle for TLS verification | `""` | +| `commonLabels` | Labels to add to each object of the chart. | `{}` | +| `podLabels` | Labels to add to the pod. | `{}` | +| `podAnnotations` | Annotations to add to the pod. | `{}` | +| `podSecurityContext` | Security context for the pod. | `{}` | +| `securityContext` | Security context for the _metrics-server_ container. | _See values.yaml_ | +| `priorityClassName` | Priority class name to use. | `system-cluster-critical` | +| `containerPort` | port for the _metrics-server_ container. | `10250` | +| `hostNetwork.enabled` | If `true`, start _metric-server_ in hostNetwork mode. You would require this enabled if you use alternate overlay networking for pods and API server unable to communicate with metrics-server. As an example, this is required if you use Weave network on EKS. | `false` | +| `replicas` | Number of replicas to run. | `1` | +| `updateStrategy` | Customise the default update strategy. | `{}` | +| `podDisruptionBudget.enabled` | If `true`, create `PodDisruptionBudget` resource. | `{}` | +| `podDisruptionBudget.minAvailable` | Set the `PodDisruptionBugdet` minimum available pods. | `nil` | +| `podDisruptionBudget.maxUnavailable` | Set the `PodDisruptionBugdet` maximum unavailable pods. | `nil` | +| `defaultArgs` | Default arguments to pass to the _metrics-server_ command. | See _values.yaml_ | +| `args` | Additional arguments to pass to the _metrics-server_ command. | `[]` | +| `livenessProbe` | Liveness probe. | See _values.yaml_ | +| `readinessProbe` | Readiness probe. | See _values.yaml_ | +| `service.type` | Service type. | `ClusterIP` | +| `service.port` | Service port. | `443` | +| `service.annotations` | Annotations to add to the service. | `{}` | +| `service.labels` | Labels to add to the service. | `{}` | +| `addonResizer.enabled` | If `true`, run the addon-resizer as a sidecar to automatically scale resource requests with cluster size. | `false` | +| `addonResizer.image.repository` | addon-resizer image repository | registry.k8s.io/autoscaling/addon-resizer | +| `addonResizer.image.tag` | addon-resizer image tag | 1.8.14 | +| `addonResizer.resources` | Resource requests and limits for the _nanny_ container. | `{limits: {cpu: 40m, memory: 25Mi}, requests: {cpu: 40m, memory: 25Mi}}` | +| `addonResizer.nanny.cpu` | The base CPU requirement. | 20m | +| `addonResizer.nanny.extraCPU` | The amount of CPU to add per node. | 1m | +| `addonResizer.nanny.extraMemory` | The amount of memory to add per node. | 2Mi | +| `addonResizer.nanny.memory` | The base memory requirement. | 15Mi | +| `addonResizer.nanny.minClusterSize` | Specifies the smallest number of nodes resources will be scaled to. | 10 | +| `addonResizer.nanny.pollPeriod` | The time, in milliseconds, to poll the dependent container. | 300000 | +| `addonResizer.nanny.threshold` | A number between 0-100. The dependent's resources are rewritten when they deviate from expected by more than threshold. | 5 | +| `metrics.enabled` | If `true`, allow unauthenticated access to `/metrics`. | `false` | +| `serviceMonitor.enabled` | If `true`, create a _Prometheus_ service monitor. This needs `metrics.enabled` to be `true`. | `false` | +| `serviceMonitor.additionalLabels` | Additional labels to be set on the ServiceMonitor. | `{}` | +| `serviceMonitor.metricRelabelings` | _Prometheus_ metric relabeling. | `[]` | +| `serviceMonitor.relabelings` | _Prometheus_ relabeling. | `[]` | +| `serviceMonitor.interval` | _Prometheus_ scrape frequency. | `1m` | +| `serviceMonitor.scrapeTimeout` | _Prometheus_ scrape timeout. | `10s` | +| `resources` | Resource requests and limits for the _metrics-server_ container. See https://github.com/kubernetes-sigs/metrics-server#scaling | `{}` | +| `extraVolumeMounts` | Additional volume mounts for the _metrics-server_ container. | `[]` | +| `extraVolumes` | Additional volumes for the pod. | `[]` | +| `nodeSelector` | Node labels for pod assignment. | `{}` | +| `tolerations` | Tolerations for pod assignment. | `[]` | +| `affinity` | Affinity for pod assignment. | `{}` | +| `topologySpreadConstraints` | Pod Topology Spread Constraints. | `[]` | +| `deploymentAnnotations` | Annotations to add to the deployment. | `{}` | +| `schedulerName` | scheduler to set to the deployment. | `""` | diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/ci/ci-values.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/ci/ci-values.yaml new file mode 100644 index 0000000..b9e9ef7 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/ci/ci-values.yaml @@ -0,0 +1,2 @@ +args: + - --kubelet-insecure-tls diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/NOTES.txt b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/NOTES.txt new file mode 100644 index 0000000..0ad6bb0 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/NOTES.txt @@ -0,0 +1,7 @@ +*********************************************************************** +* Metrics Server * +*********************************************************************** + Chart version: {{ .Chart.Version }} + App version: {{ .Chart.AppVersion }} + Image tag: {{ include "metrics-server.image" . }} +*********************************************************************** diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/_helpers.tpl b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/_helpers.tpl new file mode 100644 index 0000000..9b87f11 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/_helpers.tpl @@ -0,0 +1,102 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "metrics-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "metrics-server.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "metrics-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "metrics-server.labels" -}} +helm.sh/chart: {{ include "metrics-server.chart" . }} +{{ include "metrics-server.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.commonLabels }} +{{ toYaml .Values.commonLabels }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "metrics-server.selectorLabels" -}} +app.kubernetes.io/name: {{ include "metrics-server.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "metrics-server.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "metrics-server.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +The image to use +*/}} +{{- define "metrics-server.image" -}} +{{- printf "%s:%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} +{{- end }} + +{{/* +The image to use for the addon resizer +*/}} +{{- define "metrics-server.addonResizer.image" -}} +{{- printf "%s:%s" .Values.addonResizer.image.repository .Values.addonResizer.image.tag }} +{{- end }} + +{{/* +ConfigMap name of addon resizer +*/}} +{{- define "metrics-server.addonResizer.configMap" -}} +{{- printf "%s-%s" (include "metrics-server.fullname" .) "nanny-config" }} +{{- end }} + +{{/* +Role name of addon resizer +*/}} +{{- define "metrics-server.addonResizer.role" -}} +{{ printf "system:%s-nanny" (include "metrics-server.fullname" .) }} +{{- end }} + +{{/* Get PodDisruptionBudget API Version */}} +{{- define "metrics-server.pdb.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">= 1.21-0" .Capabilities.KubeVersion.Version) -}} + {{- print "policy/v1" -}} + {{- else -}} + {{- print "policy/v1beta1" -}} + {{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/apiservice.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/apiservice.yaml new file mode 100644 index 0000000..f58931d --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/apiservice.yaml @@ -0,0 +1,25 @@ +{{- if .Values.apiService.create -}} +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1beta1.metrics.k8s.io + labels: + {{- include "metrics-server.labels" . | nindent 4 }} + {{- with .Values.apiService.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.apiService.caBundle }} + caBundle: {{ b64enc . }} + {{- end }} + group: metrics.k8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: {{ .Values.apiService.insecureSkipTLSVerify }} + service: + name: {{ include "metrics-server.fullname" . }} + namespace: {{ .Release.Namespace }} + port: {{ .Values.service.port }} + version: v1beta1 + versionPriority: 100 +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrole-aggregated-reader.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrole-aggregated-reader.yaml new file mode 100644 index 0000000..d5e8fe1 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrole-aggregated-reader.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ printf "system:%s-aggregated-reader" (include "metrics-server.name" .) }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: + - apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + verbs: + - get + - list + - watch +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrole-nanny.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrole-nanny.yaml new file mode 100644 index 0000000..24edd81 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrole-nanny.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.rbac.create .Values.addonResizer.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ printf "system:%s-nanny" (include "metrics-server.fullname" .) }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +rules: + - nonResourceURLs: + - /metrics + verbs: + - get +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrole.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrole.yaml new file mode 100644 index 0000000..5d25c1e --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrole.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ printf "system:%s" (include "metrics-server.fullname" .) }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - nodes/metrics + verbs: + - get + - apiGroups: + - "" + resources: + - pods + - nodes + - namespaces + - configmaps + verbs: + - get + - list + - watch + {{- if .Values.rbac.pspEnabled }} + - apiGroups: + - extensions + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ printf "privileged-%s" (include "metrics-server.fullname" .) }} + verbs: + - use + {{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrolebinding-auth-delegator.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrolebinding-auth-delegator.yaml new file mode 100644 index 0000000..826c3b7 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrolebinding-auth-delegator.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ printf "%s:system:auth-delegator" (include "metrics-server.fullname" .) }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: {{ include "metrics-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrolebinding-nanny.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrolebinding-nanny.yaml new file mode 100644 index 0000000..43738cc --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrolebinding-nanny.yaml @@ -0,0 +1,18 @@ +{{- if .Values.rbac.create -}} +{{- if .Values.addonResizer.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ printf "system:%s-nanny" (include "metrics-server.fullname" .) }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:{{ template "metrics-server.fullname" . }}-nanny +subjects: + - kind: ServiceAccount + name: {{ include "metrics-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrolebinding.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..512cb65 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ printf "system:%s" (include "metrics-server.fullname" .) }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:{{ template "metrics-server.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "metrics-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/configmaps-nanny.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/configmaps-nanny.yaml new file mode 100644 index 0000000..c25005e --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/configmaps-nanny.yaml @@ -0,0 +1,17 @@ +{{- if .Values.addonResizer.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "metrics-server.addonResizer.configMap" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +data: + NannyConfiguration: |- + apiVersion: nannyconfig/v1alpha1 + kind: NannyConfiguration + baseCPU: {{ .Values.addonResizer.nanny.cpu }} + cpuPerNode: {{ .Values.addonResizer.nanny.extraCpu }} + baseMemory: {{ .Values.addonResizer.nanny.memory }} + memoryPerNode: {{ .Values.addonResizer.nanny.extraMemory }} +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/deployment.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/deployment.yaml new file mode 100644 index 0000000..9f44be4 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/deployment.yaml @@ -0,0 +1,147 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "metrics-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} + {{- with .Values.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicas }} + {{- with .Values.updateStrategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "metrics-server.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "metrics-server.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + schedulerName: {{ .Values.schedulerName }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "metrics-server.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- if .Values.hostNetwork.enabled }} + hostNetwork: true + {{- end }} + containers: + - name: metrics-server + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: {{ include "metrics-server.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - {{ printf "--secure-port=%d" (int .Values.containerPort) }} + {{- range .Values.defaultArgs }} + - {{ . }} + {{- end }} + {{- if .Values.metrics.enabled }} + - --authorization-always-allow-paths=/metrics + {{- end }} + {{- range .Values.args }} + - {{ . }} + {{- end }} + ports: + - name: https + protocol: TCP + containerPort: {{ .Values.containerPort }} + {{- with .Values.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.addonResizer.enabled }} + - name: metrics-server-nanny + image: {{ include "metrics-server.addonResizer.image" . }} + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - /pod_nanny + - --config-dir=/etc/config + - --deployment={{ include "metrics-server.fullname" . }} + - --threshold={{ .Values.addonResizer.nanny.threshold }} + - --deployment={{ include "metrics-server.fullname" . }} + - --container=metrics-server + - --poll-period={{ .Values.addonResizer.nanny.pollPeriod }} + - --estimator=exponential + - --minClusterSize={{ .Values.addonResizer.nanny.minClusterSize }} + - --use-metrics=true + volumeMounts: + - name: nanny-config-volume + mountPath: /etc/config + {{- with .Values.addonResizer.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + emptyDir: {} + {{- if .Values.addonResizer.enabled }} + - name: nanny-config-volume + configMap: + name: {{ include "metrics-server.addonResizer.configMap" . }} + {{- end }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/pdb.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/pdb.yaml new file mode 100644 index 0000000..1f5eddf --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/pdb.yaml @@ -0,0 +1,19 @@ +{{- if .Values.podDisruptionBudget.enabled -}} +apiVersion: {{ include "metrics-server.pdb.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "metrics-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +spec: + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + selector: + matchLabels: + {{- include "metrics-server.selectorLabels" . | nindent 6 }} +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/psp.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/psp.yaml new file mode 100644 index 0000000..bf8ace1 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/psp.yaml @@ -0,0 +1,28 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ printf "privileged-%s" (include "metrics-server.fullname" .) }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +spec: + allowedCapabilities: + - '*' + fsGroup: + rule: RunAsAny + privileged: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - '*' + hostPID: true + hostIPC: true + hostNetwork: true + hostPorts: + - min: 1 + max: 65536 +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/role-nanny.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/role-nanny.yaml new file mode 100644 index 0000000..f0bf8fc --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/role-nanny.yaml @@ -0,0 +1,27 @@ +{{- if .Values.rbac.create -}} +{{- if .Values.addonResizer.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "metrics-server.addonResizer.role" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ include "metrics-server.fullname" . }} + verbs: + - get + - patch +{{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/rolebinding-nanny.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/rolebinding-nanny.yaml new file mode 100644 index 0000000..73bfaaf --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/rolebinding-nanny.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create -}} +{{- if .Values.addonResizer.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ printf "%s-nanny" (include "metrics-server.fullname" .) }} + namespace: kube-system + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "metrics-server.addonResizer.role" . }} +subjects: + - kind: ServiceAccount + name: {{ include "metrics-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/rolebinding.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/rolebinding.yaml new file mode 100644 index 0000000..3fda743 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ printf "%s-auth-reader" (include "metrics-server.fullname" .) }} + namespace: kube-system + labels: + {{- include "metrics-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: {{ include "metrics-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/service.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/service.yaml new file mode 100644 index 0000000..d45bcf3 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "metrics-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} + {{- with .Values.service.labels -}} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - name: https + port: {{ .Values.service.port }} + protocol: TCP + targetPort: https + selector: + {{- include "metrics-server.selectorLabels" . | nindent 4 }} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/serviceaccount.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/serviceaccount.yaml new file mode 100644 index 0000000..80ef699 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "metrics-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- with .Values.serviceAccount.secrets }} +secrets: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/servicemonitor.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/servicemonitor.yaml new file mode 100644 index 0000000..5c1c5b7 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/templates/servicemonitor.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.serviceMonitor.enabled .Values.metrics.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "metrics-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "metrics-server.labels" . | nindent 4 }} + {{- with .Values.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ .Release.Name }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "metrics-server.selectorLabels" . | nindent 6 }} + endpoints: + - port: https + path: /metrics + scheme: https + tlsConfig: + insecureSkipVerify: true + {{- with .Values.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end -}} diff --git a/goldilocks-4.9/charts/vpa/charts/metrics-server/values.yaml b/goldilocks-4.9/charts/vpa/charts/metrics-server/values.yaml new file mode 100644 index 0000000..7520a94 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/charts/metrics-server/values.yaml @@ -0,0 +1,176 @@ +# Default values for metrics-server. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + repository: registry.k8s.io/metrics-server/metrics-server + # Overrides the image tag whose default is v{{ .Chart.AppVersion }} + tag: "" + pullPolicy: IfNotPresent + +imagePullSecrets: [] +# - name: registrySecretName + +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # The list of secrets mountable by this service account. + # See https://kubernetes.io/docs/reference/labels-annotations-taints/#enforce-mountable-secrets + secrets: [] + +rbac: + # Specifies whether RBAC resources should be created + create: true + pspEnabled: false + +apiService: + # Specifies if the v1beta1.metrics.k8s.io API service should be created. + # + # You typically want this enabled! If you disable API service creation you have to + # manage it outside of this chart for e.g horizontal pod autoscaling to + # work with this release. + create: true + # Annotations to add to the API service + annotations: {} + # Specifies whether to skip TLS verification + insecureSkipTLSVerify: true + # The PEM encoded CA bundle for TLS verification + caBundle: "" + +commonLabels: {} +podLabels: {} +podAnnotations: {} + +podSecurityContext: {} + +securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + +priorityClassName: system-cluster-critical + +containerPort: 10250 + +hostNetwork: + # Specifies if metrics-server should be started in hostNetwork mode. + # + # You would require this enabled if you use alternate overlay networking for pods and + # API server unable to communicate with metrics-server. As an example, this is required + # if you use Weave network on EKS + enabled: false + +replicas: 1 + +updateStrategy: {} +# type: RollingUpdate +# rollingUpdate: +# maxSurge: 0 +# maxUnavailable: 1 + +podDisruptionBudget: + # https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + enabled: false + minAvailable: + maxUnavailable: + +defaultArgs: + - --cert-dir=/tmp + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=15s + +args: [] + +livenessProbe: + httpGet: + path: /livez + port: https + scheme: HTTPS + initialDelaySeconds: 0 + periodSeconds: 10 + failureThreshold: 3 + +readinessProbe: + httpGet: + path: /readyz + port: https + scheme: HTTPS + initialDelaySeconds: 20 + periodSeconds: 10 + failureThreshold: 3 + +service: + type: ClusterIP + port: 443 + annotations: {} + labels: {} + # Add these labels to have metrics-server show up in `kubectl cluster-info` + # kubernetes.io/cluster-service: "true" + # kubernetes.io/name: "Metrics-server" + +addonResizer: + enabled: false + image: + repository: registry.k8s.io/autoscaling/addon-resizer + tag: 1.8.14 + resources: + limits: + cpu: 40m + memory: 25Mi + requests: + cpu: 40m + memory: 25Mi + nanny: + cpu: 20m + extraCpu: 1m + extraMemory: 2Mi + memory: 15Mi + minClusterSize: 10 + pollPeriod: 300000 + threshold: 5 + +metrics: + enabled: false + +serviceMonitor: + enabled: false + additionalLabels: {} + interval: 1m + scrapeTimeout: 10s + metricRelabelings: [] + relabelings: [] + +# See https://github.com/kubernetes-sigs/metrics-server#scaling +resources: {} + +extraVolumeMounts: [] + +extraVolumes: [] + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +topologySpreadConstraints: [] + +# Annotations to add to the deployment +deploymentAnnotations: {} + +schedulerName: "" diff --git a/goldilocks-4.9/charts/vpa/ci/test-values.yaml b/goldilocks-4.9/charts/vpa/ci/test-values.yaml new file mode 100644 index 0000000..00b4602 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/ci/test-values.yaml @@ -0,0 +1,30 @@ +recommender: + enabled: true + podLabels: + app: test + foo: bar +updater: + enabled: true + podLabels: + app: test + foo: bar +admissionController: + enabled: true + extraArgs: + v: "4" + generateCertificate: true + certGen: + env: + ENVIRONMENTVARIABLE: exists + podLabels: + app: test + foo: bar +podLabels: + app: test + foo: bar +metrics-server: + enabled: true + apiService: + insecureSkipTLSVerify: true + args: + - "--kubelet-insecure-tls" diff --git a/goldilocks-4.9/charts/vpa/crds/vpa-v1-crd.yaml b/goldilocks-4.9/charts/vpa/crds/vpa-v1-crd.yaml new file mode 100644 index 0000000..5e4a8a7 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/crds/vpa-v1-crd.yaml @@ -0,0 +1,758 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes/kubernetes/pull/63797 + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: verticalpodautoscalers.autoscaling.k8s.io +spec: + group: autoscaling.k8s.io + names: + kind: VerticalPodAutoscaler + listKind: VerticalPodAutoscalerList + plural: verticalpodautoscalers + shortNames: + - vpa + singular: verticalpodautoscaler + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.updatePolicy.updateMode + name: Mode + type: string + - jsonPath: .status.recommendation.containerRecommendations[0].target.cpu + name: CPU + type: string + - jsonPath: .status.recommendation.containerRecommendations[0].target.memory + name: Mem + type: string + - jsonPath: .status.conditions[?(@.type=='RecommendationProvided')].status + name: Provided + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VerticalPodAutoscaler is the configuration for a vertical pod + autoscaler, which automatically manages pod resources based on historical + and real time resource utilization. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Specification of the behavior of the autoscaler. More info: + https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.' + properties: + recommenders: + description: Recommender responsible for generating recommendation + for this object. List should be empty (then the default recommender + will generate the recommendation) or contain exactly one recommender. + items: + description: VerticalPodAutoscalerRecommenderSelector points to + a specific Vertical Pod Autoscaler recommender. In the future + it might pass parameters to the recommender. + properties: + name: + description: Name of the recommender responsible for generating + recommendation for this object. + type: string + required: + - name + type: object + type: array + resourcePolicy: + description: Controls how the autoscaler computes recommended resources. + The resource policy may be used to set constraints on the recommendations + for individual containers. If not specified, the autoscaler computes + recommended resources for all containers in the pod, without additional + constraints. + properties: + containerPolicies: + description: Per-container resource policies. + items: + description: ContainerResourcePolicy controls how autoscaler + computes the recommended resources for a specific container. + properties: + containerName: + description: Name of the container or DefaultContainerResourcePolicy, + in which case the policy is used by the containers that + don't have their own policy specified. + type: string + controlledResources: + description: Specifies the type of recommendations that + will be computed (and possibly applied) by VPA. If not + specified, the default of [ResourceCPU, ResourceMemory] + will be used. + items: + description: ResourceName is the name identifying various + resources in a ResourceList. + type: string + type: array + controlledValues: + description: Specifies which resource values should be controlled. + The default is "RequestsAndLimits". + enum: + - RequestsAndLimits + - RequestsOnly + type: string + maxAllowed: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Specifies the maximum amount of resources that + will be recommended for the container. The default is + no maximum. + type: object + minAllowed: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Specifies the minimal amount of resources that + will be recommended for the container. The default is + no minimum. + type: object + mode: + description: Whether autoscaler is enabled for the container. + The default is "Auto". + enum: + - Auto + - "Off" + type: string + type: object + type: array + type: object + targetRef: + description: TargetRef points to the controller managing the set of + pods for the autoscaler to control - e.g. Deployment, StatefulSet. + VerticalPodAutoscaler can be targeted at controller implementing + scale subresource (the pod set is retrieved from the controller's + ScaleStatus) or some well known controllers (e.g. for DaemonSet + the pod set is read from the controller's spec). If VerticalPodAutoscaler + cannot use specified target it will report ConfigUnsupported condition. + Note that VerticalPodAutoscaler does not require full implementation + of scale subresource - it will not use it to modify the replica + count. The only thing retrieved is a label selector matching pods + grouped by the target resource. + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"' + type: string + name: + description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + required: + - kind + - name + type: object + updatePolicy: + description: Describes the rules on how changes are applied to the + pods. If not specified, all fields in the `PodUpdatePolicy` are + set to their default values. + properties: + minReplicas: + description: Minimal number of replicas which need to be alive + for Updater to attempt pod eviction (pending other checks like + PDB). Only positive values are allowed. Overrides global '--min-replicas' + flag. + format: int32 + type: integer + updateMode: + description: Controls when autoscaler applies changes to the pod + resources. The default is 'Auto'. + enum: + - "Off" + - Initial + - Recreate + - Auto + type: string + type: object + required: + - targetRef + type: object + status: + description: Current information about the autoscaler. + properties: + conditions: + description: Conditions is the set of conditions required for this + autoscaler to scale its target, and indicates whether or not those + conditions are met. + items: + description: VerticalPodAutoscalerCondition describes the state + of a VerticalPodAutoscaler at a certain point. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another + format: date-time + type: string + message: + description: message is a human-readable explanation containing + details about the transition + type: string + reason: + description: reason is the reason for the condition's last transition. + type: string + status: + description: status is the status of the condition (True, False, + Unknown) + type: string + type: + description: type describes the current condition + type: string + required: + - status + - type + type: object + type: array + recommendation: + description: The most recently computed amount of resources recommended + by the autoscaler for the controlled pods. + properties: + containerRecommendations: + description: Resources recommended by the autoscaler for each + container. + items: + description: RecommendedContainerResources is the recommendation + of resources computed by autoscaler for a specific container. + Respects the container resource policy if present in the spec. + In particular the recommendation is not produced for containers + with `ContainerScalingMode` set to 'Off'. + properties: + containerName: + description: Name of the container. + type: string + lowerBound: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Minimum recommended amount of resources. Observes + ContainerResourcePolicy. This amount is not guaranteed + to be sufficient for the application to operate in a stable + way, however running with less resources is likely to + have significant impact on performance/availability. + type: object + target: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Recommended amount of resources. Observes ContainerResourcePolicy. + type: object + uncappedTarget: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: The most recent recommended resources target + computed by the autoscaler for the controlled pods, based + only on actual resource usage, not taking into account + the ContainerResourcePolicy. May differ from the Recommendation + if the actual resource usage causes the target to violate + the ContainerResourcePolicy (lower than MinAllowed or + higher that MaxAllowed). Used only as status indication, + will not affect actual resource assignment. + type: object + upperBound: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Maximum recommended amount of resources. Observes + ContainerResourcePolicy. Any resources allocated beyond + this value are likely wasted. This value may be larger + than the maximum amount of application is actually capable + of consuming. + type: object + required: + - target + type: object + type: array + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} + - name: v1beta2 + schema: + openAPIV3Schema: + description: VerticalPodAutoscaler is the configuration for a vertical pod + autoscaler, which automatically manages pod resources based on historical + and real time resource utilization. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Specification of the behavior of the autoscaler. More info: + https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.' + properties: + resourcePolicy: + description: Controls how the autoscaler computes recommended resources. + The resource policy may be used to set constraints on the recommendations + for individual containers. If not specified, the autoscaler computes + recommended resources for all containers in the pod, without additional + constraints. + properties: + containerPolicies: + description: Per-container resource policies. + items: + description: ContainerResourcePolicy controls how autoscaler + computes the recommended resources for a specific container. + properties: + containerName: + description: Name of the container or DefaultContainerResourcePolicy, + in which case the policy is used by the containers that + don't have their own policy specified. + type: string + maxAllowed: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Specifies the maximum amount of resources that + will be recommended for the container. The default is + no maximum. + type: object + minAllowed: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Specifies the minimal amount of resources that + will be recommended for the container. The default is + no minimum. + type: object + mode: + description: Whether autoscaler is enabled for the container. + The default is "Auto". + enum: + - Auto + - "Off" + type: string + type: object + type: array + type: object + targetRef: + description: TargetRef points to the controller managing the set of + pods for the autoscaler to control - e.g. Deployment, StatefulSet. + VerticalPodAutoscaler can be targeted at controller implementing + scale subresource (the pod set is retrieved from the controller's + ScaleStatus) or some well known controllers (e.g. for DaemonSet + the pod set is read from the controller's spec). If VerticalPodAutoscaler + cannot use specified target it will report ConfigUnsupported condition. + Note that VerticalPodAutoscaler does not require full implementation + of scale subresource - it will not use it to modify the replica + count. The only thing retrieved is a label selector matching pods + grouped by the target resource. + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"' + type: string + name: + description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + required: + - kind + - name + type: object + updatePolicy: + description: Describes the rules on how changes are applied to the + pods. If not specified, all fields in the `PodUpdatePolicy` are + set to their default values. + properties: + updateMode: + description: Controls when autoscaler applies changes to the pod + resources. The default is 'Auto'. + enum: + - "Off" + - Initial + - Recreate + - Auto + type: string + type: object + required: + - targetRef + type: object + status: + description: Current information about the autoscaler. + properties: + conditions: + description: Conditions is the set of conditions required for this + autoscaler to scale its target, and indicates whether or not those + conditions are met. + items: + description: VerticalPodAutoscalerCondition describes the state + of a VerticalPodAutoscaler at a certain point. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another + format: date-time + type: string + message: + description: message is a human-readable explanation containing + details about the transition + type: string + reason: + description: reason is the reason for the condition's last transition. + type: string + status: + description: status is the status of the condition (True, False, + Unknown) + type: string + type: + description: type describes the current condition + type: string + required: + - status + - type + type: object + type: array + recommendation: + description: The most recently computed amount of resources recommended + by the autoscaler for the controlled pods. + properties: + containerRecommendations: + description: Resources recommended by the autoscaler for each + container. + items: + description: RecommendedContainerResources is the recommendation + of resources computed by autoscaler for a specific container. + Respects the container resource policy if present in the spec. + In particular the recommendation is not produced for containers + with `ContainerScalingMode` set to 'Off'. + properties: + containerName: + description: Name of the container. + type: string + lowerBound: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Minimum recommended amount of resources. Observes + ContainerResourcePolicy. This amount is not guaranteed + to be sufficient for the application to operate in a stable + way, however running with less resources is likely to + have significant impact on performance/availability. + type: object + target: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Recommended amount of resources. Observes ContainerResourcePolicy. + type: object + uncappedTarget: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: The most recent recommended resources target + computed by the autoscaler for the controlled pods, based + only on actual resource usage, not taking into account + the ContainerResourcePolicy. May differ from the Recommendation + if the actual resource usage causes the target to violate + the ContainerResourcePolicy (lower than MinAllowed or + higher that MaxAllowed). Used only as status indication, + will not affect actual resource assignment. + type: object + upperBound: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Maximum recommended amount of resources. Observes + ContainerResourcePolicy. Any resources allocated beyond + this value are likely wasted. This value may be larger + than the maximum amount of application is actually capable + of consuming. + type: object + required: + - target + type: object + type: array + type: object + type: object + required: + - spec + type: object + served: true + storage: false +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes/kubernetes/pull/63797 + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: verticalpodautoscalercheckpoints.autoscaling.k8s.io +spec: + group: autoscaling.k8s.io + names: + kind: VerticalPodAutoscalerCheckpoint + listKind: VerticalPodAutoscalerCheckpointList + plural: verticalpodautoscalercheckpoints + shortNames: + - vpacheckpoint + singular: verticalpodautoscalercheckpoint + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: VerticalPodAutoscalerCheckpoint is the checkpoint of the internal + state of VPA that is used for recovery after recommender's restart. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Specification of the checkpoint. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.' + properties: + containerName: + description: Name of the checkpointed container. + type: string + vpaObjectName: + description: Name of the VPA object that stored VerticalPodAutoscalerCheckpoint + object. + type: string + type: object + status: + description: Data of the checkpoint. + properties: + cpuHistogram: + description: Checkpoint of histogram for consumption of CPU. + properties: + bucketWeights: + description: Map from bucket index to bucket weight. + type: object + x-kubernetes-preserve-unknown-fields: true + referenceTimestamp: + description: Reference timestamp for samples collected within + this histogram. + format: date-time + nullable: true + type: string + totalWeight: + description: Sum of samples to be used as denominator for weights + from BucketWeights. + type: number + type: object + firstSampleStart: + description: Timestamp of the fist sample from the histograms. + format: date-time + nullable: true + type: string + lastSampleStart: + description: Timestamp of the last sample from the histograms. + format: date-time + nullable: true + type: string + lastUpdateTime: + description: The time when the status was last refreshed. + format: date-time + nullable: true + type: string + memoryHistogram: + description: Checkpoint of histogram for consumption of memory. + properties: + bucketWeights: + description: Map from bucket index to bucket weight. + type: object + x-kubernetes-preserve-unknown-fields: true + referenceTimestamp: + description: Reference timestamp for samples collected within + this histogram. + format: date-time + nullable: true + type: string + totalWeight: + description: Sum of samples to be used as denominator for weights + from BucketWeights. + type: number + type: object + totalSamplesCount: + description: Total number of samples in the histograms. + type: integer + version: + description: Version of the format of the stored data. + type: string + type: object + type: object + served: true + storage: true + - name: v1beta2 + schema: + openAPIV3Schema: + description: VerticalPodAutoscalerCheckpoint is the checkpoint of the internal + state of VPA that is used for recovery after recommender's restart. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Specification of the checkpoint. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.' + properties: + containerName: + description: Name of the checkpointed container. + type: string + vpaObjectName: + description: Name of the VPA object that stored VerticalPodAutoscalerCheckpoint + object. + type: string + type: object + status: + description: Data of the checkpoint. + properties: + cpuHistogram: + description: Checkpoint of histogram for consumption of CPU. + properties: + bucketWeights: + description: Map from bucket index to bucket weight. + type: object + x-kubernetes-preserve-unknown-fields: true + referenceTimestamp: + description: Reference timestamp for samples collected within + this histogram. + format: date-time + nullable: true + type: string + totalWeight: + description: Sum of samples to be used as denominator for weights + from BucketWeights. + type: number + type: object + firstSampleStart: + description: Timestamp of the fist sample from the histograms. + format: date-time + nullable: true + type: string + lastSampleStart: + description: Timestamp of the last sample from the histograms. + format: date-time + nullable: true + type: string + lastUpdateTime: + description: The time when the status was last refreshed. + format: date-time + nullable: true + type: string + memoryHistogram: + description: Checkpoint of histogram for consumption of memory. + properties: + bucketWeights: + description: Map from bucket index to bucket weight. + type: object + x-kubernetes-preserve-unknown-fields: true + referenceTimestamp: + description: Reference timestamp for samples collected within + this histogram. + format: date-time + nullable: true + type: string + totalWeight: + description: Sum of samples to be used as denominator for weights + from BucketWeights. + type: number + type: object + totalSamplesCount: + description: Total number of samples in the histograms. + type: integer + version: + description: Version of the format of the stored data. + type: string + type: object + type: object + served: true + storage: false +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/goldilocks-4.9/charts/vpa/templates/NOTES.txt b/goldilocks-4.9/charts/vpa/templates/NOTES.txt new file mode 100644 index 0000000..3e81367 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/NOTES.txt @@ -0,0 +1,20 @@ +Congratulations on installing the Vertical Pod Autoscaler! + +Components Installed: +{{- if .Values.recommender.enabled }} + - recommender +{{- end }} +{{- if .Values.updater.enabled }} + - updater +{{- end }} +{{- if .Values.admissionController.enabled }} + - admission-controller +{{- end }} + +To verify functionality, you can try running 'helm -n {{ .Release.Namespace}} test {{ .Release.Name }}' + +{{- if not (include "vpa.webhook.upgradable" .) }} + +Warning: The mutatingwebhookconfiguration '{{ include "vpa.fullname" . }}-webhook-config' is not managed by this Helm release. +It is highly encouraged in this case, to verify the webhook's configuration by running all Helm tests. +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/_helpers.tpl b/goldilocks-4.9/charts/vpa/templates/_helpers.tpl new file mode 100644 index 0000000..dcd2803 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/_helpers.tpl @@ -0,0 +1,65 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "vpa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "vpa.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "vpa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "vpa.labels" -}} +helm.sh/chart: {{ include "vpa.chart" . }} +{{ include "vpa.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "vpa.selectorLabels" -}} +app.kubernetes.io/name: {{ include "vpa.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "vpa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "vpa.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/admission-controller-deployment.yaml b/goldilocks-4.9/charts/vpa/templates/admission-controller-deployment.yaml new file mode 100644 index 0000000..1c26906 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/admission-controller-deployment.yaml @@ -0,0 +1,103 @@ +{{- if .Values.admissionController.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "vpa.fullname" . }}-admission-controller + labels: + app.kubernetes.io/component: admission-controller + {{- include "vpa.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.admissionController.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/component: admission-controller + {{- include "vpa.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.admissionController.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- with .Values.admissionController.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + app.kubernetes.io/component: admission-controller + {{- include "vpa.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + serviceAccountName: {{ include "vpa.serviceAccountName" . }}-admission-controller + securityContext: + {{- toYaml .Values.admissionController.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.admissionController.securityContext | nindent 12 }} + image: {{ printf "%s:%s" .Values.admissionController.image.repository (.Values.admissionController.image.tag | default .Chart.AppVersion) }} + imagePullPolicy: {{ .Values.admissionController.image.pullPolicy }} + args: + - --register-webhook=false + - --webhook-service={{ include "vpa.fullname" . }}-webhook + {{- if .Values.admissionController.generateCertificate }} + - --client-ca-file=/etc/tls-certs/ca + - --tls-cert-file=/etc/tls-certs/cert + - --tls-private-key=/etc/tls-certs/key + {{- end }} + {{- if .Values.admissionController.extraArgs }} + {{- range $key, $value := .Values.admissionController.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + volumeMounts: + - name: tls-certs + mountPath: "/etc/tls-certs" + readOnly: true + {{- if .Values.admissionController.livenessProbe }} + livenessProbe: + {{- toYaml .Values.admissionController.livenessProbe | nindent 12 }} + {{- end }} + {{- if .Values.admissionController.readinessProbe }} + readinessProbe: + {{- toYaml .Values.admissionController.readinessProbe | nindent 12 }} + {{- end }} + ports: + - name: http + containerPort: 8000 + protocol: TCP + - name: metrics + containerPort: 8944 + protocol: TCP + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {{- toYaml .Values.admissionController.resources | nindent 12 }} + volumes: + - name: tls-certs + secret: + secretName: {{ include "vpa.webhook.secret" . }} + {{- with .Values.admissionController.tlsSecretKeys }} + items: + {{- toYaml . | nindent 14 }} + {{- end }} + {{- with .Values.admissionController.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/admission-controller-pdb.yaml b/goldilocks-4.9/charts/vpa/templates/admission-controller-pdb.yaml new file mode 100644 index 0000000..c203a69 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/admission-controller-pdb.yaml @@ -0,0 +1,13 @@ +--- +{{- if and .Values.admissionController.podDisruptionBudget (gt (int .Values.admissionController.replicaCount) 1) .Values.admissionController.enabled }} +apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +kind: PodDisruptionBudget +metadata: + name: "{{ template "vpa.fullname" . }}-admission-controller-pdb" +spec: + {{- toYaml .Values.admissionController.podDisruptionBudget | nindent 2 }} + selector: + matchLabels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/name: {{ template "vpa.fullname" . }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/admission-controller-rbac.yaml b/goldilocks-4.9/charts/vpa/templates/admission-controller-rbac.yaml new file mode 100644 index 0000000..3039dbf --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/admission-controller-rbac.yaml @@ -0,0 +1,67 @@ +{{- if and .Values.admissionController.enabled .Values.rbac.create }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vpa-admission-controller +rules: + - apiGroups: + - "" + resources: + - pods + - configmaps + - nodes + - limitranges + verbs: + - get + - list + - watch + - apiGroups: + - "admissionregistration.k8s.io" + resources: + - mutatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - apiGroups: + - "poc.autoscaling.k8s.io" + resources: + - verticalpodautoscalers + verbs: + - get + - list + - watch + - apiGroups: + - "autoscaling.k8s.io" + resources: + - verticalpodautoscalers + verbs: + - get + - list + - watch + - apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - update + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vpa-admission-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vpa-admission-controller +subjects: + - kind: ServiceAccount + name: {{ include "vpa.serviceAccountName" . }}-admission-controller + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/admission-controller-service-account.yaml b/goldilocks-4.9/charts/vpa/templates/admission-controller-service-account.yaml new file mode 100644 index 0000000..71e33a8 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/admission-controller-service-account.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.serviceAccount.create .Values.admissionController.enabled }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ include "vpa.serviceAccountName" . }}-admission-controller + labels: + {{- include "vpa.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-controller + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/admission-controller-service.yaml b/goldilocks-4.9/charts/vpa/templates/admission-controller-service.yaml new file mode 100644 index 0000000..afc8ad1 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/admission-controller-service.yaml @@ -0,0 +1,13 @@ +{{- if .Values.admissionController.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "vpa.fullname" . }}-webhook +spec: + ports: + - port: 443 + targetPort: 8000 + selector: + app.kubernetes.io/component: admission-controller + {{- include "vpa.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/clusterrolebindings.yaml b/goldilocks-4.9/charts/vpa/templates/clusterrolebindings.yaml new file mode 100644 index 0000000..cb0864f --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/clusterrolebindings.yaml @@ -0,0 +1,112 @@ +{{- if .Values.rbac.create }} + +{{- if .Values.recommender.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vpa-metrics-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vpa-metrics-reader +subjects: + - kind: ServiceAccount + name: {{ include "vpa.serviceAccountName" . }}-recommender + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vpa-checkpoint-actor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vpa-checkpoint-actor +subjects: + - kind: ServiceAccount + name: {{ include "vpa.serviceAccountName" . }}-recommender + namespace: {{ .Release.Namespace }} +{{- end }} + +{{- if .Values.updater.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vpa-evictionter-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vpa-evictioner +subjects: + - kind: ServiceAccount + name: {{ include "vpa.serviceAccountName" . }}-updater + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vpa-status-reader-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vpa-status-reader +subjects: + - kind: ServiceAccount + name: {{ include "vpa.serviceAccountName" . }}-updater + namespace: {{ .Release.Namespace }} +{{- end }} + +{{- if or .Values.recommender.enabled .Values.updater.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vpa-actor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vpa-actor +subjects: +{{- if .Values.recommender.enabled }} + - kind: ServiceAccount + name: {{ include "vpa.serviceAccountName" . }}-recommender + namespace: {{ .Release.Namespace }} +{{- end }} +{{- if .Values.updater.enabled }} + - kind: ServiceAccount + name: {{ include "vpa.serviceAccountName" . }}-updater + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} + +{{- if coalesce .Values.recommender.enabled .Values.updater.enabled .Values.admissionController.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vpa-target-reader-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vpa-target-reader +subjects: +{{- if .Values.recommender.enabled }} + - kind: ServiceAccount + name: {{ include "vpa.serviceAccountName" . }}-recommender + namespace: {{ .Release.Namespace }} +{{- end }} +{{- if .Values.admissionController.enabled}} + - kind: ServiceAccount + name: {{ include "vpa.serviceAccountName" . }}-admission-controller + namespace: {{ .Release.Namespace }} +{{- end }} +{{- if .Values.updater.enabled }} + - kind: ServiceAccount + name: {{ include "vpa.serviceAccountName" . }}-updater + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/clusterroles.yaml b/goldilocks-4.9/charts/vpa/templates/clusterroles.yaml new file mode 100644 index 0000000..8e82657 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/clusterroles.yaml @@ -0,0 +1,167 @@ +{{- if .Values.rbac.create }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vpa-metrics-reader +rules: + - apiGroups: + - "metrics.k8s.io" + resources: + - pods + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vpa-actor +rules: + - apiGroups: + - "" + resources: + - pods + - nodes + - limitranges + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch + - create + - apiGroups: + - "poc.autoscaling.k8s.io" + resources: + - verticalpodautoscalers + verbs: + - get + - list + - watch + - patch + - apiGroups: + - "autoscaling.k8s.io" + resources: + - verticalpodautoscalers + verbs: + - get + - list + - watch + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vpa-checkpoint-actor +rules: + - apiGroups: + - "poc.autoscaling.k8s.io" + resources: + - verticalpodautoscalercheckpoints + verbs: + - get + - list + - watch + - create + - patch + - delete + - apiGroups: + - "autoscaling.k8s.io" + resources: + - verticalpodautoscalercheckpoints + verbs: + - get + - list + - watch + - create + - patch + - delete + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vpa-evictioner +rules: + - apiGroups: + - "apps" + - "extensions" + resources: + - replicasets + verbs: + - get + - apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vpa-target-reader +rules: + - apiGroups: + - '*' + resources: + - '*/scale' + verbs: + - get + - watch + - apiGroups: + - "" + resources: + - replicationcontrollers + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vpa-status-reader +rules: + - apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - get + - list + - watch +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/recommender-deployment.yaml b/goldilocks-4.9/charts/vpa/templates/recommender-deployment.yaml new file mode 100644 index 0000000..d6ec515 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/recommender-deployment.yaml @@ -0,0 +1,76 @@ +{{- if .Values.recommender.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "vpa.fullname" . }}-recommender + labels: + app.kubernetes.io/component: recommender + {{- include "vpa.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.recommender.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/component: recommender + {{- include "vpa.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.recommender.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- with .Values.recommender.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + app.kubernetes.io/component: recommender + {{- include "vpa.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + serviceAccountName: {{ include "vpa.serviceAccountName" . }}-recommender + securityContext: + {{- toYaml .Values.recommender.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.recommender.securityContext | nindent 12 }} + image: {{ printf "%s:%s" .Values.recommender.image.repository (.Values.recommender.image.tag | default .Chart.AppVersion) }} + imagePullPolicy: {{ .Values.recommender.image.pullPolicy }} + {{- if .Values.recommender.extraArgs }} + args: + {{- range $key, $value := .Values.recommender.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + {{- if .Values.recommender.livenessProbe }} + livenessProbe: + {{- toYaml .Values.recommender.livenessProbe | nindent 12 }} + {{- end }} + {{- if .Values.recommender.readinessProbe }} + readinessProbe: + {{- toYaml .Values.recommender.readinessProbe | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: 8942 + protocol: TCP + resources: + {{- toYaml .Values.recommender.resources | nindent 12 }} + {{- with .Values.recommender.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.recommender.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.recommender.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/recommender-pdb.yaml b/goldilocks-4.9/charts/vpa/templates/recommender-pdb.yaml new file mode 100644 index 0000000..d4d238b --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/recommender-pdb.yaml @@ -0,0 +1,13 @@ +--- +{{- if and .Values.recommender.podDisruptionBudget (gt (int .Values.recommender.replicaCount) 1) .Values.recommender.enabled }} +apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +kind: PodDisruptionBudget +metadata: + name: "{{ template "vpa.fullname" . }}-recommender-pdb" +spec: + {{- toYaml .Values.recommender.podDisruptionBudget | nindent 2 }} + selector: + matchLabels: + app.kubernetes.io/component: recommender + app.kubernetes.io/name: {{ template "vpa.fullname" . }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/recommender-podmonitor.yaml b/goldilocks-4.9/charts/vpa/templates/recommender-podmonitor.yaml new file mode 100644 index 0000000..59670c2 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/recommender-podmonitor.yaml @@ -0,0 +1,28 @@ +{{- if .Values.recommender.podMonitor }} +{{- if and .Values.recommender.enabled .Values.recommender.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ include "vpa.fullname" . }}-recommender + {{- with .Values.recommender.podMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.recommender.podMonitor.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + podMetricsEndpoints: + - interval: 30s + path: /metrics + port: metrics + selector: + matchLabels: + app.kubernetes.io/component: recommender + {{- include "vpa.selectorLabels" . | nindent 6 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/goldilocks-4.9/charts/vpa/templates/recommender-service-account.yaml b/goldilocks-4.9/charts/vpa/templates/recommender-service-account.yaml new file mode 100644 index 0000000..407bdc1 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/recommender-service-account.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.serviceAccount.create .Values.recommender.enabled -}} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ include "vpa.serviceAccountName" . }}-recommender + labels: + {{- include "vpa.labels" . | nindent 4 }} + app.kubernetes.io/component: recommender + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/tests/_test_helpers.tpl b/goldilocks-4.9/charts/vpa/templates/tests/_test_helpers.tpl new file mode 100644 index 0000000..f9a5f1f --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/tests/_test_helpers.tpl @@ -0,0 +1,21 @@ +{{/* +Get kubectl image tag +*/}} +{{- define "vpa.test.tag" -}} +{{- if .Values.tests.image }} +{{- default (printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor) .Values.tests.image.tag }} +{{- else }} +{{- printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor }} +{{- end }} +{{- end }} + +{{/* +Get kubectl image name +*/}} +{{- define "vpa.test.image" -}} +{{- if .Values.tests.image }} +{{- printf "%s:%s" (default "bitnami/kubectl" .Values.tests.image.repository) (default (include "vpa.test.tag" . ) .Values.tests.image.tag) }} +{{- else }} +{{- printf "bitnami/kubectl:%s" (include "vpa.test.tag" . ) }} +{{- end }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/tests/crds-available.yaml b/goldilocks-4.9/charts/vpa/templates/tests/crds-available.yaml new file mode 100644 index 0000000..0acfad1 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/tests/crds-available.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "vpa.fullname" . }}-test-crds-available + labels: + {{- include "vpa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": "hook-succeeded,before-hook-creation" + "helm.sh/hook-weight": "10" +spec: + serviceAccountName: {{ include "vpa.fullname" . }}-test + containers: + - name: test + {{- if .Values.tests.securityContext }} + securityContext: + {{- toYaml .Values.tests.securityContext | nindent 8 }} + {{- end }} + image: {{ include "vpa.test.image" . }} + {{- if .Values.tests.image }} + imagePullPolicy: {{ .Values.tests.image.pullPolicy }} + {{- end }} + command: ['kubectl'] + args: + - get + - crd + - verticalpodautoscalercheckpoints.autoscaling.k8s.io + - verticalpodautoscalers.autoscaling.k8s.io + restartPolicy: Never diff --git a/goldilocks-4.9/charts/vpa/templates/tests/create-vpa.yaml b/goldilocks-4.9/charts/vpa/templates/tests/create-vpa.yaml new file mode 100644 index 0000000..fe91bf8 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/tests/create-vpa.yaml @@ -0,0 +1,47 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "vpa.fullname" . }}-test-create-vpa + labels: + {{- include "vpa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" + "helm.sh/hook-weight": "20" +spec: + serviceAccountName: {{ include "vpa.fullname" . }}-test + containers: + - name: test + {{- if .Values.tests.securityContext }} + securityContext: + {{- toYaml .Values.tests.securityContext | nindent 8 }} + {{- end }} + image: {{ include "vpa.test.image" . }} + {{- if .Values.tests.image }} + imagePullPolicy: {{ .Values.tests.image.pullPolicy }} + {{- end }} + command: ['bash'] + args: + - -c + - | + #!/bin/bash + + set -ex + cat <=1.21.0-0" .Capabilities.KubeVersion.Version) }} +kind: PodDisruptionBudget +metadata: + name: "{{ template "vpa.fullname" . }}-updater-pdb" +spec: + {{- toYaml .Values.updater.podDisruptionBudget | nindent 2 }} + selector: + matchLabels: + app.kubernetes.io/component: updater + app.kubernetes.io/name: {{ template "vpa.fullname" . }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/updater-podmonitor.yaml b/goldilocks-4.9/charts/vpa/templates/updater-podmonitor.yaml new file mode 100644 index 0000000..d0b0a4b --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/updater-podmonitor.yaml @@ -0,0 +1,28 @@ +{{- if .Values.updater.podMonitor }} +{{- if and .Values.updater.enabled .Values.updater.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ include "vpa.fullname" . }}-updater + {{- with .Values.updater.podMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.updater.podMonitor.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + podMetricsEndpoints: + - interval: 30s + path: /metrics + port: metrics + selector: + matchLabels: + app.kubernetes.io/component: updater + {{- include "vpa.selectorLabels" . | nindent 6 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/goldilocks-4.9/charts/vpa/templates/updater-service-account.yaml b/goldilocks-4.9/charts/vpa/templates/updater-service-account.yaml new file mode 100644 index 0000000..b7ff077 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/updater-service-account.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.serviceAccount.create .Values.updater.enabled }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ include "vpa.serviceAccountName" . }}-updater + labels: + {{- include "vpa.labels" . | nindent 4 }} + app.kubernetes.io/component: updater + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/webhooks/_webhook_helpers.tpl b/goldilocks-4.9/charts/vpa/templates/webhooks/_webhook_helpers.tpl new file mode 100644 index 0000000..cf75019 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/webhooks/_webhook_helpers.tpl @@ -0,0 +1,37 @@ +{{/* +See, if we can upgrade the mutatingWebhookConfiguration +*/}} +{{- define "vpa.webhook.upgradable" -}} +{{/*lookup config*/}} +{{- $webhook := (lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" "" (printf "%s-%s" (include "vpa.fullname" .) "webhook-config")) }} +{{- if $webhook }} + {{- /*is it managed by this helm release?*/ -}} + {{- if and + (hasKey $webhook.metadata "labels") + (hasKey $webhook.metadata "annotations") + (hasKey $webhook.metadata.labels "app.kubernetes.io/managed-by") + (hasKey $webhook.metadata.annotations "meta.helm.sh/release-name") + (hasKey $webhook.metadata.annotations "meta.helm.sh/release-namespace") + (eq (get $webhook.metadata.labels "app.kubernetes.io/managed-by") "Helm") + (eq (get $webhook.metadata.annotations "meta.helm.sh/release-name") .Release.Name) + (eq (get $webhook.metadata.annotations "meta.helm.sh/release-namespace") .Release.Namespace) + }} + {{- "true" | toYaml -}} + {{- else }} + {{- "" -}} + {{- end }} +{{- else }} + {{- "true" | toYaml -}} +{{- end }} +{{- end }} + +{{/* +Return the name for the webhook tls secret +*/}} +{{- define "vpa.webhook.secret" -}} +{{- if .Values.admissionController.secretName }} +{{- default (printf "%s-%s" (include "vpa.fullname" .) "tls-certs") (tpl (.Values.admissionController.secretName | toString) .) }} +{{- else }} +{{- printf "%s-%s" (include "vpa.fullname" .) "tls-certs" }} +{{- end }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-clusterrole.yaml b/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-clusterrole.yaml new file mode 100644 index 0000000..4d163c0 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.admissionController.enabled .Values.admissionController.generateCertificate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "vpa.fullname" . }}-admission-certgen + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-certgen + {{- include "vpa.labels" . | nindent 4 }} +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - get + - update +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-clusterrolebinding.yaml b/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-clusterrolebinding.yaml new file mode 100644 index 0000000..12e1f96 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.admissionController.enabled .Values.admissionController.generateCertificate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "vpa.fullname" . }}-admission-certgen + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-certgen + {{- include "vpa.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "vpa.fullname" . }}-admission-certgen +subjects: + - kind: ServiceAccount + name: {{ include "vpa.fullname" . }}-admission-certgen + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-create.yaml b/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-create.yaml new file mode 100644 index 0000000..1b7757a --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-create.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.admissionController.enabled .Values.admissionController.generateCertificate }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "vpa.fullname" . }}-admission-certgen-create + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: certgen + {{- include "vpa.labels" . | nindent 4 }} +spec: + ttlSecondsAfterFinished: 300 + template: + metadata: + name: {{ include "vpa.fullname" . }}-admission-certgen + labels: + app.kubernetes.io/component: cadmission-ertgen + {{- include "vpa.labels" . | nindent 8 }} + spec: + restartPolicy: OnFailure + serviceAccountName: {{ include "vpa.fullname" . }}-admission-certgen + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: create + image: {{ printf "%s:%s" .Values.admissionController.certGen.image.repository .Values.admissionController.certGen.image.tag }} + args: + - create + - --host={{ include "vpa.fullname" . }}-webhook,{{ include "vpa.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + - --namespace={{ .Release.Namespace }} + - --secret-name={{ include "vpa.webhook.secret" . }} + resources: + {{- toYaml .Values.admissionController.certGen.resources | nindent 12 }} + {{- with .Values.admissionController.certGen.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.certGen.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.certGen.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.certGen.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-patch.yaml b/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-patch.yaml new file mode 100644 index 0000000..35fbac4 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-patch.yaml @@ -0,0 +1,55 @@ +{{- if and .Values.admissionController.enabled .Values.admissionController.generateCertificate }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "vpa.fullname" . }}-admission-certgen-patch + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-certgen + {{- include "vpa.labels" . | nindent 4 }} +spec: + ttlSecondsAfterFinished: 300 + template: + metadata: + name: {{ include "vpa.fullname" . }}-admission-certgen-patch + labels: + app.kubernetes.io/component: admission-certgen + {{- include "vpa.labels" . | nindent 8 }} + spec: + restartPolicy: OnFailure + serviceAccountName: {{ include "vpa.fullname" . }}-admission-certgen + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: patch + image: {{ printf "%s:%s" .Values.admissionController.certGen.image.repository .Values.admissionController.certGen.image.tag }} + args: + - patch + - --webhook-name={{ include "vpa.fullname" . }}-webhook-config + - --namespace={{ .Release.Namespace }} + - --secret-name={{ include "vpa.webhook.secret" . }} + - --patch-validating=false + - --log-level=debug + resources: + {{- toYaml .Values.admissionController.certGen.resources | nindent 12 }} + {{- with .Values.admissionController.certGen.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.certGen.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.certGen.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.certGen.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-role.yaml b/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-role.yaml new file mode 100644 index 0000000..9fba851 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-role.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.admissionController.enabled .Values.admissionController.generateCertificate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "vpa.fullname" . }}-admission-certgen + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-certgen + {{- include "vpa.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-rolebinding.yaml b/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-rolebinding.yaml new file mode 100644 index 0000000..8f15a50 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.admissionController.enabled .Values.admissionController.generateCertificate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "vpa.fullname" . }}-admission-certgen + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-certgen + {{- include "vpa.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "vpa.fullname" . }}-admission-certgen +subjects: + - kind: ServiceAccount + name: {{ include "vpa.fullname" . }}-admission-certgen + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-sa.yaml b/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-sa.yaml new file mode 100644 index 0000000..bb50d2e --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/webhooks/jobs/certgen-sa.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.admissionController.enabled .Values.admissionController.generateCertificate }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "vpa.fullname" . }}-admission-certgen + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-certgen + {{- include "vpa.labels" . | nindent 4 }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/templates/webhooks/mutating.yaml b/goldilocks-4.9/charts/vpa/templates/webhooks/mutating.yaml new file mode 100644 index 0000000..03776ab --- /dev/null +++ b/goldilocks-4.9/charts/vpa/templates/webhooks/mutating.yaml @@ -0,0 +1,49 @@ +{{- if and .Values.admissionController.enabled (include "vpa.webhook.upgradable" .) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ include "vpa.fullname" . }}-webhook-config + labels: + app.kubernetes.io/component: admission-controller + {{- include "vpa.labels" . | nindent 4 }} + {{- with .Values.admissionController.mutatingWebhookConfiguration.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "vpa.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + port: 443 + failurePolicy: {{ .Values.admissionController.mutatingWebhookConfiguration.failurePolicy }} + matchPolicy: Equivalent + name: vpa.k8s.io + namespaceSelector: {{ .Values.admissionController.mutatingWebhookConfiguration.namespaceSelector | toYaml }} + objectSelector: {{ .Values.admissionController.mutatingWebhookConfiguration.objectSelector | toYaml }} + reinvocationPolicy: Never + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + scope: '*' + - apiGroups: + - autoscaling.k8s.io + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - verticalpodautoscalers + scope: '*' + sideEffects: None + timeoutSeconds: {{ .Values.admissionController.mutatingWebhookConfiguration.timeoutSeconds }} +{{- end }} diff --git a/goldilocks-4.9/charts/vpa/values.yaml b/goldilocks-4.9/charts/vpa/values.yaml new file mode 100644 index 0000000..fc332f1 --- /dev/null +++ b/goldilocks-4.9/charts/vpa/values.yaml @@ -0,0 +1,280 @@ +# Default values for vertical-pod-autoscaler. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# imagePullSecrets -- A list of image pull secrets to be used for all pods +imagePullSecrets: [] +# priorityClassName -- To set the priorityclass for all pods +priorityClassName: "" +# nameOverride -- A template override for the name +nameOverride: "" +# fullnameOverride -- A template override for the fullname +fullnameOverride: "" +# podLabels -- Labels to add to all pods +podLabels: {} +rbac: + # rbac.create -- If true, then rbac resources (clusterroles and clusterrolebindings) will be created for the selected components. + # Temporary rbac resources will still be created, to ensure a functioning installation process + create: true + +serviceAccount: + # serviceAccount.create -- Specifies whether a service account should be created for each component + create: true + # serviceAccount.annotations -- Annotations to add to the service accounts for each component + annotations: {} + # serviceAccount.name -- The base name of the service account to use (appended with the component). If not set and create is true, a name is generated using the fullname template and appended for each component + name: "" + # serviceAccount.automountServiceAccountToken -- Automount API credentials for the Service Account + automountServiceAccountToken: true + +recommender: + # recommender.enabled -- If true, the vpa recommender component will be installed. + enabled: true + # recommender.extraArgs -- A set of key-value flags to be passed to the recommender + extraArgs: + v: "4" + pod-recommendation-min-cpu-millicores: 15 + pod-recommendation-min-memory-mb: 100 + replicaCount: 1 + # recommender.podDisruptionBudget -- This is the setting for the pod disruption budget + podDisruptionBudget: {} + # maxUnavailable: 1 + image: + # recommender.image.repository -- The location of the recommender image + repository: registry.k8s.io/autoscaling/vpa-recommender + # recommender.image.tag -- Overrides the image tag whose default is the chart appVersion + tag: "" + # recommender.image.pullPolicy -- The pull policy for the recommender image. Recommend not changing this + pullPolicy: Always + # recommender.podAnnotations -- Annotations to add to the recommender pod + podAnnotations: {} + # recommender.podLabels -- Labels to add to the recommender pod + podLabels: {} + # recommender.podSecurityContext -- The security context for the recommender pod + podSecurityContext: + runAsNonRoot: true + runAsUser: 65534 + # recommender.securityContext -- The security context for the containers inside the recommender pod + securityContext: {} + # recommender.livenessProbe -- The liveness probe definition inside the recommender pod + livenessProbe: + failureThreshold: 6 + httpGet: + path: /health-check + port: metrics + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + # recommender.readinessProbe -- The readiness probe definition inside the recommender pod + readinessProbe: + failureThreshold: 120 + httpGet: + path: /health-check + port: metrics + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + # recommender.resources -- The resources block for the recommender pod + resources: + limits: + cpu: 200m + memory: 1000Mi + requests: + cpu: 50m + memory: 500Mi + nodeSelector: {} + tolerations: [] + affinity: {} + # -- Enables a prometheus operator podMonitor for the recommender + podMonitor: + enabled: false + annotations: {} + labels: {} + +updater: + # updater.enabled -- If true, the updater component will be deployed + enabled: true + # updater.extraArgs -- A key-value map of flags to pass to the updater + extraArgs: {} + replicaCount: 1 + # updater.podDisruptionBudget -- This is the setting for the pod disruption budget + podDisruptionBudget: {} + # maxUnavailable: 1 + image: + # updater.image.repository -- The location of the updater image + repository: registry.k8s.io/autoscaling/vpa-updater + # updater.image.tag -- Overrides the image tag whose default is the chart appVersion + tag: "" + # updater.image.pullPolicy -- The pull policy for the updater image. Recommend not changing this + pullPolicy: Always + # updater.podAnnotations -- Annotations to add to the updater pod + podAnnotations: {} + # updater.podLabels -- Labels to add to the updater pod + podLabels: {} + # updater.podSecurityContext -- The security context for the updater pod + podSecurityContext: + runAsNonRoot: true + runAsUser: 65534 + # updater.securityContext -- The security context for the containers inside the updater pod + securityContext: {} + # updater.livenessProbe -- The liveness probe definition inside the updater pod + livenessProbe: + failureThreshold: 6 + httpGet: + path: /health-check + port: metrics + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + # updater.readinessProbe -- The readiness probe definition inside the updater pod + readinessProbe: + failureThreshold: 120 + httpGet: + path: /health-check + port: metrics + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + # updater.resources -- The resources block for the updater pod + resources: + limits: + cpu: 200m + memory: 1000Mi + requests: + cpu: 50m + memory: 500Mi + nodeSelector: {} + tolerations: [] + affinity: {} + # -- Enables a prometheus operator podMonitor for the updater + podMonitor: + enabled: false + annotations: {} + labels: {} + +admissionController: + # admissionController.enabled -- If true, will install the admission-controller component of vpa + enabled: true + # admissionController.extraArgs -- A key-value map of flags to pass to the admissionController + extraArgs: {} + # admissionController.generateCertificate -- If true and admissionController is enabled, a pre-install hook will run to create the certificate for the webhook + generateCertificate: true + # admissionController.secretName -- Name for the TLS secret created for the webhook. Default {{ .Release.Name }}-tls-secret + secretName: "{{ include \"vpa.fullname\" . }}-tls-secret" + certGen: + image: + # admissionController.certGen.image.repository -- An image that contains certgen for creating certificates. Only used if admissionController.generateCertificate is true + repository: registry.k8s.io/ingress-nginx/kube-webhook-certgen + # admissionController.certGen.image.tag -- An image tag for the admissionController.certGen.image.repository image. Only used if admissionController.generateCertificate is true + tag: v20230312-helm-chart-4.5.2-28-g66a760794 + # admissionController.certGen.image.pullPolicy -- The pull policy for the certgen image. Recommend not changing this + pullPolicy: Always + # admissionController.certGen.env -- Additional environment variables to be added to the certgen container. Format is KEY: Value format + env: {} + # admissionController.certGen.resources -- The resources block for the certgen pod + resources: {} + # admissionController.certGen.securityContext -- The securityContext block for the certgen pod + securityContext: {} + nodeSelector: {} + tolerations: [] + affinity: {} + + mutatingWebhookConfiguration: + # admissionController.mutatingWebhookConfiguration.annotations -- Additional annotations for the MutatingWebhookConfiguration. Can be used for integration with cert-manager + annotations: {} + # admissionController.mutatingWebhookConfiguration.failurePolicy -- The failurePolicy for the mutating webhook. Allowed values are: Ignore, Fail + failurePolicy: Ignore + # admissionController.mutatingWebhookConfiguration.namespaceSelector -- The namespaceSelector controls, which namespaces are affected by the webhook + namespaceSelector: {} + # admissionController.mutatingWebhookConfiguration.objectSelector -- The objectSelector can filter object on e.g. labels + objectSelector: {} + # admissionController.mutatingWebhookConfiguration.timeout -- Sets the amount of time the API server will wait on a response from the webhook service. + timeoutSeconds: 30 + + replicaCount: 1 + # admissionController.podDisruptionBudget -- This is the setting for the pod disruption budget + podDisruptionBudget: {} + # maxUnavailable: 1 + image: + # admissionController.image.repository -- The location of the vpa admission controller image + repository: registry.k8s.io/autoscaling/vpa-admission-controller + # admissionController.image.tag -- Overrides the image tag whose default is the chart appVersion + tag: "" + # admissionController.image.pullPolicy -- The pull policy for the admission controller image. Recommend not changing this + pullPolicy: Always + # admissionController.podAnnotations -- Annotations to add to the admission controller pod + podAnnotations: {} + # admissionController.podLabels -- Labels to add to the admission controller pod + podLabels: {} + # admissionController.podSecurityContext -- The security context for the admission controller pod + podSecurityContext: + runAsNonRoot: true + runAsUser: 65534 + # admissionController.securityContext -- The security context for the containers inside the admission controller pod + securityContext: {} + # admissionController.livenessProbe -- The liveness probe definition inside the admission controller pod + livenessProbe: + failureThreshold: 6 + httpGet: + path: /health-check + port: metrics + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + # admissionController.readinessProbe -- The readiness probe definition inside the admission controller pod + readinessProbe: + failureThreshold: 120 + httpGet: + path: /health-check + port: metrics + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + # admissionController.resources -- The resources block for the admission controller pod + resources: + limits: + cpu: 200m + memory: 500Mi + requests: + cpu: 50m + memory: 200Mi + # admissionController.tlsSecretKeys -- The keys in the vpa-tls-certs secret to map in to the admission controller + tlsSecretKeys: [] + # - key: ca.crt + # path: caCert.pem + # - key: tls.crt + # path: serverCert.pem + # - key: tls.key + # path: serverKey.pem + nodeSelector: {} + tolerations: [] + affinity: {} + +tests: + # tests.securityContext -- The security context for the containers run as helm hook tests + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10324 + capabilities: + drop: + - ALL + image: + # tests.image.repository -- An image used for testing containing bash, cat and kubectl + repository: bitnami/kubectl + # tests.image.tag -- An image tag for the tests image + tag: "" + # tests.image.pullPolicy -- The pull policy for the tests image. + pullPolicy: Always + +# metrics-server -- configuration options for the [metrics server Helm chart](https://github.com/kubernetes-sigs/metrics-server/tree/master/charts/metrics-server). See the projects [README.md](https://github.com/kubernetes-sigs/metrics-server/tree/master/charts/metrics-server#configuration) for all available options +metrics-server: + # metrics-server.enabled -- Whether or not the metrics server Helm chart should be installed + enabled: false diff --git a/goldilocks-4.9/ci/service-account-name-values.yaml b/goldilocks-4.9/ci/service-account-name-values.yaml new file mode 100644 index 0000000..ae61a47 --- /dev/null +++ b/goldilocks-4.9/ci/service-account-name-values.yaml @@ -0,0 +1,7 @@ +controller: + serviceAccount: + name: controller-test + +dashboard: + serviceAccount: + name: dashboard-test diff --git a/goldilocks-4.9/ci/test-values.yaml b/goldilocks-4.9/ci/test-values.yaml new file mode 100644 index 0000000..343cea1 --- /dev/null +++ b/goldilocks-4.9/ci/test-values.yaml @@ -0,0 +1,52 @@ +# For testing, make sure to install the vpa and metrics-server as sub-charts +vpa: + enabled: true + +metrics-server: + enabled: true + extraArgs: + - --kubelet-insecure-tls + - --kubelet-preferred-address-types=InternalIP + +controller: + flags: + on-by-default: true + exclude-namespaces: kube-system + deployment: + additionalLabels: + test: value + podAnnotations: + foo: bar + rbac: + extraRules: + - apiGroups: + - "batch" + resources: + - "*" + verbs: + - "get" + - "list" + - "watch" + extraClusterRoleBindings: + - view + +dashboard: + basePath: goldilocks + ingress: + enabled: true + hosts: + - host: goldilocks.example.local + paths: + - path: / + type: ImplementationSpecific + replicaCount: 2 + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app: alertmanager + deployment: + additionalLabels: + test: value diff --git a/goldilocks-4.9/icon.png b/goldilocks-4.9/icon.png new file mode 100644 index 0000000..a6a32f9 Binary files /dev/null and b/goldilocks-4.9/icon.png differ diff --git a/goldilocks-4.9/logo.svg b/goldilocks-4.9/logo.svg new file mode 100644 index 0000000..2f210cf --- /dev/null +++ b/goldilocks-4.9/logo.svg @@ -0,0 +1,56 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/goldilocks-4.9/templates/NOTES.txt b/goldilocks-4.9/templates/NOTES.txt new file mode 100644 index 0000000..254fbdf --- /dev/null +++ b/goldilocks-4.9/templates/NOTES.txt @@ -0,0 +1,21 @@ +1. Get the application URL by running these commands: +{{- if .Values.dashboard.ingress.enabled }} +{{- range $host := .Values.dashboard.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.dashboard.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.dashboard.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "goldilocks.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.dashboard.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "goldilocks.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "goldilocks.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.dashboard.service.port }} +{{- else if contains "ClusterIP" .Values.dashboard.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "goldilocks.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=dashboard" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:80 +{{- end }} diff --git a/goldilocks-4.9/templates/_helpers.tpl b/goldilocks-4.9/templates/_helpers.tpl new file mode 100644 index 0000000..21b3cdc --- /dev/null +++ b/goldilocks-4.9/templates/_helpers.tpl @@ -0,0 +1,54 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "goldilocks.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "goldilocks.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "goldilocks.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account for controller to use +*/}} +{{- define "controller.serviceAccountName" -}} +{{- if .Values.controller.serviceAccount.create -}} + {{ default (printf "%s-controller" (include "goldilocks.fullname" .)) .Values.controller.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.controller.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account for dashboard to use +*/}} +{{- define "dashboard.serviceAccountName" -}} +{{- if .Values.dashboard.serviceAccount.create -}} + {{ default (printf "%s-dashboard" (include "goldilocks.fullname" .)) .Values.dashboard.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.dashboard.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/goldilocks-4.9/templates/controller-clusterrole.yaml b/goldilocks-4.9/templates/controller-clusterrole.yaml new file mode 100644 index 0000000..c1cf9f1 --- /dev/null +++ b/goldilocks-4.9/templates/controller-clusterrole.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.controller.rbac.create .Values.controller.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "goldilocks.fullname" . }}-controller + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + helm.sh/chart: {{ include "goldilocks.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: controller +rules: + - apiGroups: + - 'apps' + resources: + - '*' + verbs: + - 'get' + - 'list' + - 'watch' + - apiGroups: + - '' + resources: + - 'namespaces' + - 'pods' + verbs: + - 'get' + - 'list' + - 'watch' + - apiGroups: + - 'autoscaling.k8s.io' + resources: + - 'verticalpodautoscalers' + verbs: + - 'get' + - 'list' + - 'create' + - 'delete' + - 'update' + {{- if .Values.controller.rbac.enableArgoproj }} + - apiGroups: + - 'argoproj.io' + resources: + - rollouts + verbs: + - 'get' + - 'list' + - 'watch' + {{- end }} + {{- if .Values.controller.rbac.extraRules -}} + {{ toYaml .Values.controller.rbac.extraRules | nindent 2 }} + {{- end }} +{{- end }} diff --git a/goldilocks-4.9/templates/controller-clusterrolebinding.yaml b/goldilocks-4.9/templates/controller-clusterrolebinding.yaml new file mode 100644 index 0000000..562997c --- /dev/null +++ b/goldilocks-4.9/templates/controller-clusterrolebinding.yaml @@ -0,0 +1,43 @@ +{{- if and .Values.controller.rbac.create .Values.controller.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "goldilocks.fullname" . }}-controller + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + helm.sh/chart: {{ include "goldilocks.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "goldilocks.fullname" . }}-controller +subjects: + - kind: ServiceAccount + name: {{ template "controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + +{{- range $.Values.controller.rbac.extraClusterRoleBindings }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "goldilocks.fullname" $ }}-controller-{{ . }} + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" $ }} + helm.sh/chart: {{ include "goldilocks.chart" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + app.kubernetes.io/managed-by: {{ $.Release.Service }} + app.kubernetes.io/component: controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ . }} +subjects: + - kind: ServiceAccount + name: {{ include "goldilocks.fullname" $ }}-controller + namespace: {{ $.Release.Namespace }} +{{- end }} +{{- end }} + diff --git a/goldilocks-4.9/templates/controller-deployment.yaml b/goldilocks-4.9/templates/controller-deployment.yaml new file mode 100644 index 0000000..818db55 --- /dev/null +++ b/goldilocks-4.9/templates/controller-deployment.yaml @@ -0,0 +1,92 @@ +{{- if .Values.controller.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "goldilocks.fullname" . }}-controller + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + helm.sh/chart: {{ include "goldilocks.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: controller + {{- if .Values.controller.deployment.additionalLabels }} + {{ toYaml .Values.controller.deployment.additionalLabels | nindent 4 }} + {{- end }} + {{- with .Values.controller.deployment.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: 1 + {{- if .Values.controller.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: controller + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: controller + {{- if .Values.controller.deployment.additionalLabels }} + {{ toYaml .Values.controller.deployment.additionalLabels | nindent 8 }} + {{- end }} + {{- with .Values.controller.deployment.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "controller.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /goldilocks + - controller + - -v{{ .Values.controller.logVerbosity }} + {{- range $name, $value := .Values.controller.flags }} + - --{{ $name }}={{ $value }} + {{- end }} + {{- if .Values.controller.securityContext }} + securityContext: + {{- toYaml .Values.controller.securityContext | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.deployment.extraVolumeMounts }} + volumeMounts: + {{ toYaml .Values.controller.deployment.extraVolumeMounts | nindent 12 }} + {{- end }} +{{- if .Values.controller.deployment.extraVolumes }} + volumes: +{{ toYaml .Values.controller.deployment.extraVolumes | indent 8}} +{{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/goldilocks-4.9/templates/controller-serviceaccount.yaml b/goldilocks-4.9/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000..388d089 --- /dev/null +++ b/goldilocks-4.9/templates/controller-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.controller.serviceAccount.create .Values.controller.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + helm.sh/chart: {{ include "goldilocks.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: controller +{{- end }} diff --git a/goldilocks-4.9/templates/dashboard-clusterrole.yaml b/goldilocks-4.9/templates/dashboard-clusterrole.yaml new file mode 100644 index 0000000..f1bb80e --- /dev/null +++ b/goldilocks-4.9/templates/dashboard-clusterrole.yaml @@ -0,0 +1,44 @@ +{{- if and .Values.dashboard.rbac.create .Values.dashboard.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "goldilocks.fullname" . }}-dashboard + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + helm.sh/chart: {{ include "goldilocks.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: dashboard +rules: + - apiGroups: + - 'autoscaling.k8s.io' + resources: + - 'verticalpodautoscalers' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'apps' + resources: + - '*' + verbs: + - 'get' + - 'list' + - apiGroups: + - '' + resources: + - 'namespaces' + - 'pods' + verbs: + - 'get' + - 'list' + {{- if .Values.dashboard.rbac.enableArgoproj }} + - apiGroups: + - 'argoproj.io' + resources: + - rollouts + verbs: + - 'get' + - 'list' + {{- end }} +{{- end }} diff --git a/goldilocks-4.9/templates/dashboard-clusterrolebinding.yaml b/goldilocks-4.9/templates/dashboard-clusterrolebinding.yaml new file mode 100644 index 0000000..52efc2d --- /dev/null +++ b/goldilocks-4.9/templates/dashboard-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.dashboard.rbac.create .Values.dashboard.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "goldilocks.fullname" . }}-dashboard + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + helm.sh/chart: {{ include "goldilocks.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "goldilocks.fullname" . }}-dashboard +subjects: + - kind: ServiceAccount + name: {{ template "dashboard.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/goldilocks-4.9/templates/dashboard-deployment.yaml b/goldilocks-4.9/templates/dashboard-deployment.yaml new file mode 100644 index 0000000..585ce25 --- /dev/null +++ b/goldilocks-4.9/templates/dashboard-deployment.yaml @@ -0,0 +1,109 @@ +{{- if .Values.dashboard.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "goldilocks.fullname" . }}-dashboard + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + helm.sh/chart: {{ include "goldilocks.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: dashboard + {{- if .Values.dashboard.deployment.additionalLabels }} + {{ toYaml .Values.dashboard.deployment.additionalLabels | nindent 4 }} + {{- end }} + {{- with .Values.dashboard.deployment.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.dashboard.replicaCount }} + {{- if .Values.dashboard.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.dashboard.revisionHistoryLimit }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: dashboard + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: dashboard + {{- if .Values.dashboard.deployment.additionalLabels }} + {{ toYaml .Values.dashboard.deployment.additionalLabels | nindent 8 }} + {{- end }} + {{- with .Values.dashboard.deployment.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "dashboard.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.dashboard.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /goldilocks + - dashboard + - --exclude-containers={{ .Values.dashboard.excludeContainers }} + - -v{{ .Values.dashboard.logVerbosity }} + {{- range $name, $value := .Values.dashboard.flags }} + - --{{ $name }}={{ $value }} + {{- end }} + {{- with .Values.dashboard.basePath }} + - --base-path + - {{ . }} + {{- end }} + {{- if .Values.dashboard.securityContext }} + securityContext: + {{- toYaml .Values.dashboard.securityContext | nindent 12 }} + {{- end }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + livenessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "" }}/health + port: http + readinessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "" }}/health + port: http + resources: + {{- toYaml .Values.dashboard.resources | nindent 12 }} + {{- if .Values.dashboard.deployment.extraVolumeMounts }} + volumeMounts: + {{ toYaml .Values.dashboard.deployment.extraVolumeMounts | nindent 12 }} + {{- end }} +{{- if .Values.dashboard.deployment.extraVolumes }} + volumes: +{{ toYaml .Values.dashboard.deployment.extraVolumes | indent 8}} +{{- end }} + {{- with .Values.dashboard.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.dashboard.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.dashboard.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/goldilocks-4.9/templates/dashboard-ingress.yaml b/goldilocks-4.9/templates/dashboard-ingress.yaml new file mode 100644 index 0000000..cc20f19 --- /dev/null +++ b/goldilocks-4.9/templates/dashboard-ingress.yaml @@ -0,0 +1,60 @@ +{{- if and .Values.dashboard.enabled .Values.dashboard.ingress.enabled }} +{{- $fullName := include "goldilocks.fullname" . -}} +{{- $apiV1 := false -}} +{{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= v1.19-0" .Capabilities.KubeVersion.Version) -}} +apiVersion: networking.k8s.io/v1 +{{- $apiV1 = true -}} +{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-dashboard + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + helm.sh/chart: {{ include "goldilocks.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: dashboard + {{- with .Values.dashboard.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if and (.Values.dashboard.ingress.ingressClassName) (semverCompare ">= v1.18-0" .Capabilities.KubeVersion.Version) }} + ingressClassName: {{ .Values.dashboard.ingress.ingressClassName }} +{{- end }} +{{- if .Values.dashboard.ingress.tls }} + tls: + {{- range .Values.dashboard.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.dashboard.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + {{- if $apiV1 }} + - path: {{ .path }} + pathType: {{ .type }} + backend: + service: + name: {{ $fullName }}-dashboard + port: + name: http + {{- else }} + - path: {{ .path }} + backend: + serviceName: {{ $fullName }}-dashboard + servicePort: http + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/goldilocks-4.9/templates/dashboard-service.yaml b/goldilocks-4.9/templates/dashboard-service.yaml new file mode 100644 index 0000000..6fa8139 --- /dev/null +++ b/goldilocks-4.9/templates/dashboard-service.yaml @@ -0,0 +1,28 @@ +{{- if .Values.dashboard.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "goldilocks.fullname" . }}-dashboard + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + helm.sh/chart: {{ include "goldilocks.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: dashboard + {{- with .Values.dashboard.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.dashboard.service.type }} + ports: + - port: {{ .Values.dashboard.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: dashboard +{{- end }} diff --git a/goldilocks-4.9/templates/dashboard-serviceaccount.yaml b/goldilocks-4.9/templates/dashboard-serviceaccount.yaml new file mode 100644 index 0000000..d461c0e --- /dev/null +++ b/goldilocks-4.9/templates/dashboard-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.dashboard.serviceAccount.create .Values.dashboard.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "dashboard.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + helm.sh/chart: {{ include "goldilocks.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: dashboard +{{- end }} diff --git a/goldilocks-4.9/templates/vpa-uninstall-hook.yaml b/goldilocks-4.9/templates/vpa-uninstall-hook.yaml new file mode 100644 index 0000000..ea99eff --- /dev/null +++ b/goldilocks-4.9/templates/vpa-uninstall-hook.yaml @@ -0,0 +1,75 @@ +{{- if .Values.uninstallVPA }} +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + "helm.sh/hook": "pre-upgrade,post-delete" + "helm.sh/hook-delete-policy": "hook-succeeded,before-hook-creation,hook-failed" + "helm.sh/hook-weight": "-250" + name: {{ include "goldilocks.fullname" . }}-vpa-uninstall + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "goldilocks.fullname" . }}-vpa-uninstall + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + helm.sh/chart: {{ include "goldilocks.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: vpa-uninstall + annotations: + "helm.sh/hook": "pre-upgrade,post-delete" + "helm.sh/hook-delete-policy": "hook-succeeded,before-hook-creation,hook-failed" + "helm.sh/hook-weight": "-240" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: {{ include "goldilocks.fullname" . }}-vpa-uninstall + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "goldilocks.fullname" . }}-vpa-uninstall + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + helm.sh/chart: {{ include "goldilocks.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: vpa-uninstall + annotations: + "helm.sh/hook": "pre-upgrade,post-delete" + "helm.sh/hook-delete-policy": "before-hook-creation" + "helm.sh/hook-weight": "-230" +spec: + template: + metadata: + name: {{ include "goldilocks.fullname" . }}-vpa-uninstall + labels: + app.kubernetes.io/name: {{ include "goldilocks.name" . }} + helm.sh/chart: {{ include "goldilocks.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: vpa-uninstall + spec: + restartPolicy: Never + serviceAccountName: {{ include "goldilocks.fullname" . }}-vpa-uninstall + containers: + - name: vpa-uninstall + image: quay.io/reactiveops/ci-images:v9-alpine + command: ["bash"] + args: + - -c + - | + apk --update add git openssl + git clone "https://github.com/kubernetes/autoscaler.git" + cd autoscaler/vertical-pod-autoscaler + git checkout {{ .Values.vpaVersion }} + ./hack/vpa-down.sh +{{- end }} diff --git a/goldilocks-4.9/values-home.yaml b/goldilocks-4.9/values-home.yaml new file mode 100644 index 0000000..3707c9f --- /dev/null +++ b/goldilocks-4.9/values-home.yaml @@ -0,0 +1,185 @@ +# uninstallVPA -- Enabling this flag will remove a vpa installation that was previously managed with this chart. It is considered deprecated and will be removed in a later release. +uninstallVPA: false + +vpa: + # vpa.enabled -- If true, the vpa will be installed as a sub-chart + enabled: false + updater: + enabled: false + +metrics-server: + # metrics-server.enabled -- If true, the metrics-server will be installed as a sub-chart + enabled: false + apiService: + create: true + +image: + # image.repository -- Repository for the goldilocks image + repository: us-docker.pkg.dev/fairwinds-ops/oss/goldilocks + # image.tag -- The goldilocks image tag to use + tag: v4.9.0 + # image.pullPolicy -- imagePullPolicy - Highly recommended to leave this as `Always` + pullPolicy: Always + +# imagePullSecrets -- A list of image pull secret names to use +imagePullSecrets: [] + +nameOverride: "" +fullnameOverride: "" + +controller: + # controller.enabled -- Whether or not to install the controller deployment + enabled: true + # controller.revisionHistoryLimit -- Number of old replicasets to retain, default is 10, 0 will garbage-collect old replicasets + revisionHistoryLimit: 10 + rbac: + # controller.rbac.create -- If set to true, rbac resources will be created for the controller + create: true + # controller.rbac.enableArgoproj -- If set to true, the clusterrole will give access to argoproj.io resources + enableArgoproj: true + # controller.rbac.extraRules -- Extra rbac rules for the controller clusterrole + extraRules: [] + # controller.rbac.extraClusterRoleBindings -- A list of ClusterRoles for which ClusterRoleBindings will be created for the ServiceAccount, if enabled + extraClusterRoleBindings: [] + serviceAccount: + # controller.serviceAccount.create -- If true, a service account will be created for the controller. If set to false, you must set `controller.serviceAccount.name` + create: true + # controller.serviceAccount.name -- The name of an existing service account to use for the controller. Combined with `controller.serviceAccount.create` + name: + + # controller.flags -- A map of additional flags to pass to the controller + flags: {} + # controller.logVerbosity -- Controller log verbosity. Can be set from 1-10 with 10 being extremely verbose + logVerbosity: "2" + # controller.nodeSelector -- Node selector for the controller pod + nodeSelector: {} + # controller.tolerations -- Tolerations for the controller pod + tolerations: [] + # controller.affinity -- Affinity for the controller pods + affinity: {} + # controller.topologySpreadConstraints -- Topology spread constraints for the controller pods + topologySpreadConstraints: [] + # controller.resources -- The resources block for the controller pods + resources: + limits: + memory: 256Mi + requests: + cpu: 25m + memory: 256Mi + # controller.podSecurityContext -- Defines the podSecurityContext for the controller pod + podSecurityContext: {} + # controller.securityContext -- The container securityContext for the controller container + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10324 + capabilities: + drop: + - ALL + + deployment: + # controller.deployment.extraVolumeMounts -- Extra volume mounts for the controller container + extraVolumeMounts: [] + # controller.deployment.extraVolumes -- Extra volumes for the controller pod + extraVolumes: [] + # controller.deployment.annotations -- Extra annotations for the controller deployment + annotations: {} + # controller.deployment.additionalLabels -- Extra labels for the controller deployment + additionalLabels: {} + + # controller.deployment.podAnnotations -- Extra annotations for the controller pod + podAnnotations: {} + +dashboard: + # dashboard.basePath -- Path on which the dashboard is served. Defaults to `/` + basePath: null + # dashboard.enabled -- If true, the dashboard component will be installed + enabled: true + # dashboard.revisionHistoryLimit -- Number of old replicasets to retain, default is 10, 0 will garbage-collect old replicasets + revisionHistoryLimit: 10 + # dashboard.replicaCount -- Number of dashboard pods to run + replicaCount: 1 + service: + # dashboard.service.type -- The type of the dashboard service + type: ClusterIP + # dashboard.service.port -- The port to run the dashboard service on + port: 80 + # dashboard.service.annotations -- Extra annotations for the dashboard service + annotations: {} + # dashboard.flags -- A map of additional flags to pass to the dashboard + flags: {} + # dashboard.logVerbosity -- Dashboard log verbosity. Can be set from 1-10 with 10 being extremely verbose + logVerbosity: "2" + # dashboard.excludeContainers -- Container names to exclude from displaying in the Goldilocks dashboard + excludeContainers: "linkerd-proxy,istio-proxy" + rbac: + # dashboard.rbac.create -- If set to true, rbac resources will be created for the dashboard + create: true + # dashboard.rbac.enableArgoproj -- If set to true, the clusterrole will give access to argoproj.io resources + enableArgoproj: true + serviceAccount: + # dashboard.serviceAccount.create -- If true, a service account will be created for the dashboard. If set to false, you must set `dashboard.serviceAccount.name` + create: true + # dashboard.serviceAccount.name -- The name of an existing service account to use for the controller. Combined with `dashboard.serviceAccount.create` + name: + + deployment: + # dashboard.deployment.annotations -- Extra annotations for the dashboard deployment + annotations: {} + # dashboard.deployment.additionalLabels -- Extra labels for the dashboard deployment + additionalLabels: {} + # dashboard.deployment.extraVolumeMounts -- Extra volume mounts for the dashboard container + extraVolumeMounts: [] + # dashboard.deployment.extraVolumes -- Extra volumes for the dashboard pod + extraVolumes: [] + + # dashboard.deployment.podAnnotations -- Extra annotations for the dashboard pod + podAnnotations: {} + + ingress: + # dashboard.ingress.enabled -- Enables an ingress object for the dashboard. + enabled: true + + # dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. + ingressClassName: + annotations: + kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri + nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth + nginx.ingress.kubernetes.io/backend-protocol: HTTP + hosts: + - host: goldilocks.ervine.cloud + paths: + - path: / + type: ImplementationSpecific + + tls: + - secretName: goldilocks-ervine-cloud-tls + hosts: + - goldilocks.ervine.cloud + + # dashboard.resources -- A resources block for the dashboard. + resources: + limits: + memory: 256Mi + requests: + cpu: 25m + memory: 256Mi + # dashboard.podSecurityContext -- Defines the podSecurityContext for the dashboard pod + podSecurityContext: {} + # dashboard.securityContext -- The container securityContext for the dashboard container + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10324 + capabilities: + drop: + - ALL + nodeSelector: {} + tolerations: [] + affinity: {} + # dashboard.topologySpreadConstraints -- Topology spread constraints for the dashboard pods + topologySpreadConstraints: [] diff --git a/goldilocks-4.9/values.yaml b/goldilocks-4.9/values.yaml new file mode 100644 index 0000000..9593900 --- /dev/null +++ b/goldilocks-4.9/values.yaml @@ -0,0 +1,184 @@ +# uninstallVPA -- Enabling this flag will remove a vpa installation that was previously managed with this chart. It is considered deprecated and will be removed in a later release. +uninstallVPA: false + +vpa: + # vpa.enabled -- If true, the vpa will be installed as a sub-chart + enabled: false + updater: + enabled: false + +metrics-server: + # metrics-server.enabled -- If true, the metrics-server will be installed as a sub-chart + enabled: false + apiService: + create: true + +image: + # image.repository -- Repository for the goldilocks image + repository: us-docker.pkg.dev/fairwinds-ops/oss/goldilocks + # image.tag -- The goldilocks image tag to use + tag: v4.9.0 + # image.pullPolicy -- imagePullPolicy - Highly recommended to leave this as `Always` + pullPolicy: Always + +# imagePullSecrets -- A list of image pull secret names to use +imagePullSecrets: [] + +nameOverride: "" +fullnameOverride: "" + +controller: + # controller.enabled -- Whether or not to install the controller deployment + enabled: true + # controller.revisionHistoryLimit -- Number of old replicasets to retain, default is 10, 0 will garbage-collect old replicasets + revisionHistoryLimit: 10 + rbac: + # controller.rbac.create -- If set to true, rbac resources will be created for the controller + create: true + # controller.rbac.enableArgoproj -- If set to true, the clusterrole will give access to argoproj.io resources + enableArgoproj: true + # controller.rbac.extraRules -- Extra rbac rules for the controller clusterrole + extraRules: [] + # controller.rbac.extraClusterRoleBindings -- A list of ClusterRoles for which ClusterRoleBindings will be created for the ServiceAccount, if enabled + extraClusterRoleBindings: [] + serviceAccount: + # controller.serviceAccount.create -- If true, a service account will be created for the controller. If set to false, you must set `controller.serviceAccount.name` + create: true + # controller.serviceAccount.name -- The name of an existing service account to use for the controller. Combined with `controller.serviceAccount.create` + name: + + # controller.flags -- A map of additional flags to pass to the controller + flags: {} + # controller.logVerbosity -- Controller log verbosity. Can be set from 1-10 with 10 being extremely verbose + logVerbosity: "2" + # controller.nodeSelector -- Node selector for the controller pod + nodeSelector: {} + # controller.tolerations -- Tolerations for the controller pod + tolerations: [] + # controller.affinity -- Affinity for the controller pods + affinity: {} + # controller.topologySpreadConstraints -- Topology spread constraints for the controller pods + topologySpreadConstraints: [] + # controller.resources -- The resources block for the controller pods + resources: + limits: + cpu: 25m + memory: 256Mi + requests: + cpu: 25m + memory: 256Mi + # controller.podSecurityContext -- Defines the podSecurityContext for the controller pod + podSecurityContext: {} + # controller.securityContext -- The container securityContext for the controller container + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10324 + capabilities: + drop: + - ALL + + deployment: + # controller.deployment.extraVolumeMounts -- Extra volume mounts for the controller container + extraVolumeMounts: [] + # controller.deployment.extraVolumes -- Extra volumes for the controller pod + extraVolumes: [] + # controller.deployment.annotations -- Extra annotations for the controller deployment + annotations: {} + # controller.deployment.additionalLabels -- Extra labels for the controller deployment + additionalLabels: {} + + # controller.deployment.podAnnotations -- Extra annotations for the controller pod + podAnnotations: {} + +dashboard: + # dashboard.basePath -- Path on which the dashboard is served. Defaults to `/` + basePath: null + # dashboard.enabled -- If true, the dashboard component will be installed + enabled: true + # dashboard.revisionHistoryLimit -- Number of old replicasets to retain, default is 10, 0 will garbage-collect old replicasets + revisionHistoryLimit: 10 + # dashboard.replicaCount -- Number of dashboard pods to run + replicaCount: 2 + service: + # dashboard.service.type -- The type of the dashboard service + type: ClusterIP + # dashboard.service.port -- The port to run the dashboard service on + port: 80 + # dashboard.service.annotations -- Extra annotations for the dashboard service + annotations: {} + # dashboard.flags -- A map of additional flags to pass to the dashboard + flags: {} + # dashboard.logVerbosity -- Dashboard log verbosity. Can be set from 1-10 with 10 being extremely verbose + logVerbosity: "2" + # dashboard.excludeContainers -- Container names to exclude from displaying in the Goldilocks dashboard + excludeContainers: "linkerd-proxy,istio-proxy" + rbac: + # dashboard.rbac.create -- If set to true, rbac resources will be created for the dashboard + create: true + # dashboard.rbac.enableArgoproj -- If set to true, the clusterrole will give access to argoproj.io resources + enableArgoproj: true + serviceAccount: + # dashboard.serviceAccount.create -- If true, a service account will be created for the dashboard. If set to false, you must set `dashboard.serviceAccount.name` + create: true + # dashboard.serviceAccount.name -- The name of an existing service account to use for the controller. Combined with `dashboard.serviceAccount.create` + name: + + deployment: + # dashboard.deployment.annotations -- Extra annotations for the dashboard deployment + annotations: {} + # dashboard.deployment.additionalLabels -- Extra labels for the dashboard deployment + additionalLabels: {} + # dashboard.deployment.extraVolumeMounts -- Extra volume mounts for the dashboard container + extraVolumeMounts: [] + # dashboard.deployment.extraVolumes -- Extra volumes for the dashboard pod + extraVolumes: [] + + # dashboard.deployment.podAnnotations -- Extra annotations for the dashboard pod + podAnnotations: {} + + ingress: + # dashboard.ingress.enabled -- Enables an ingress object for the dashboard. + enabled: false + + # dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. + ingressClassName: + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + type: ImplementationSpecific + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + # dashboard.resources -- A resources block for the dashboard. + resources: + limits: + cpu: 25m + memory: 256Mi + requests: + cpu: 25m + memory: 256Mi + # dashboard.podSecurityContext -- Defines the podSecurityContext for the dashboard pod + podSecurityContext: {} + # dashboard.securityContext -- The container securityContext for the dashboard container + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10324 + capabilities: + drop: + - ALL + nodeSelector: {} + tolerations: [] + affinity: {} + # dashboard.topologySpreadConstraints -- Topology spread constraints for the dashboard pods + topologySpreadConstraints: [] diff --git a/teleport-cluster-14.0.1/.values.home.yaml.swp b/goldilocks/.values.yaml.swp similarity index 68% rename from teleport-cluster-14.0.1/.values.home.yaml.swp rename to goldilocks/.values.yaml.swp index 485f029..863d183 100644 Binary files a/teleport-cluster-14.0.1/.values.home.yaml.swp and b/goldilocks/.values.yaml.swp differ diff --git a/goldilocks/Chart.lock b/goldilocks/Chart.lock index 21cd6dc..936985f 100644 --- a/goldilocks/Chart.lock +++ b/goldilocks/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: vpa repository: https://charts.fairwinds.com/stable - version: 2.2.0 + version: 2.5.1 - name: metrics-server repository: https://charts.bitnami.com/bitnami version: 6.4.1 -digest: sha256:65dfffdd82f5d6603ee038a3fa3a501efddd36ea79338c8b403e13916f53da51 -generated: "2023-07-20T15:27:42.2213269Z" +digest: sha256:358718baff45656e3b4a9fa0cddb5c17717041839542aa223620002e55e5ce26 +generated: "2023-09-05T15:36:02.054719-06:00" diff --git a/goldilocks/Chart.yaml b/goldilocks/Chart.yaml index b205b1f..4b9b814 100644 --- a/goldilocks/Chart.yaml +++ b/goldilocks/Chart.yaml @@ -1,10 +1,10 @@ apiVersion: v2 -appVersion: v4.9.0 +appVersion: v4.10.0 dependencies: - condition: vpa.enabled name: vpa repository: https://charts.fairwinds.com/stable - version: 2.2.0 + version: 2.5.* - condition: metrics-server.enabled name: metrics-server repository: https://charts.bitnami.com/bitnami @@ -22,4 +22,4 @@ maintainers: name: goldilocks sources: - https://github.com/FairwindsOps/goldilocks -version: 7.1.1 +version: 7.3.1 diff --git a/goldilocks/README.md b/goldilocks/README.md index 9dec847..1810131 100644 --- a/goldilocks/README.md +++ b/goldilocks/README.md @@ -65,7 +65,7 @@ This will completely remove the VPA and then re-install it using the new method. | metrics-server.enabled | bool | `false` | If true, the metrics-server will be installed as a sub-chart | | metrics-server.apiService.create | bool | `true` | | | image.repository | string | `"us-docker.pkg.dev/fairwinds-ops/oss/goldilocks"` | Repository for the goldilocks image | -| image.tag | string | `"v4.9.0"` | The goldilocks image tag to use | +| image.tag | string | `"v4.10.0"` | The goldilocks image tag to use | | image.pullPolicy | string | `"Always"` | imagePullPolicy - Highly recommended to leave this as `Always` | | imagePullSecrets | list | `[]` | A list of image pull secret names to use | | nameOverride | string | `""` | | @@ -84,8 +84,8 @@ This will completely remove the VPA and then re-install it using the new method. | controller.tolerations | list | `[]` | Tolerations for the controller pod | | controller.affinity | object | `{}` | Affinity for the controller pods | | controller.topologySpreadConstraints | list | `[]` | Topology spread constraints for the controller pods | -| controller.resources | object | `{"limits":{"cpu":"25m","memory":"256Mi"},"requests":{"cpu":"25m","memory":"256Mi"}}` | The resources block for the controller pods | -| controller.podSecurityContext | object | `{}` | Defines the podSecurityContext for the controller pod | +| controller.resources | object | `{"limits":{},"requests":{"cpu":"25m","memory":"256Mi"}}` | The resources block for the controller pods | +| controller.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Defines the podSecurityContext for the controller pod | | controller.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":10324}` | The container securityContext for the controller container | | controller.deployment.extraVolumeMounts | list | `[]` | Extra volume mounts for the controller container | | controller.deployment.extraVolumes | list | `[]` | Extra volumes for the controller pod | @@ -118,8 +118,8 @@ This will completely remove the VPA and then re-install it using the new method. | dashboard.ingress.hosts[0].paths[0].path | string | `"/"` | | | dashboard.ingress.hosts[0].paths[0].type | string | `"ImplementationSpecific"` | | | dashboard.ingress.tls | list | `[]` | | -| dashboard.resources | object | `{"limits":{"cpu":"25m","memory":"256Mi"},"requests":{"cpu":"25m","memory":"256Mi"}}` | A resources block for the dashboard. | -| dashboard.podSecurityContext | object | `{}` | Defines the podSecurityContext for the dashboard pod | +| dashboard.resources | object | `{"limits":{},"requests":{"cpu":"25m","memory":"256Mi"}}` | A resources block for the dashboard. | +| dashboard.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Defines the podSecurityContext for the dashboard pod | | dashboard.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":10324}` | The container securityContext for the dashboard container | | dashboard.nodeSelector | object | `{}` | | | dashboard.tolerations | list | `[]` | | diff --git a/goldilocks/charts/vpa/Chart.lock b/goldilocks/charts/vpa/Chart.lock index c9f8f62..f3f5ecd 100644 --- a/goldilocks/charts/vpa/Chart.lock +++ b/goldilocks/charts/vpa/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: metrics-server repository: https://kubernetes-sigs.github.io/metrics-server/ - version: 3.10.0 -digest: sha256:0a1ceadffa31a28b452eddff98027bcc4df9894d22f2e74ccbfa1828477db27c -generated: "2023-06-05T09:00:56.207403385+02:00" + version: 3.11.0 +digest: sha256:8e75a50c785978534cc73098c2c0d9f366060e8799348a794c819f986a133029 +generated: "2023-08-16T10:36:48.403971-06:00" diff --git a/goldilocks/charts/vpa/Chart.yaml b/goldilocks/charts/vpa/Chart.yaml index 4dbf937..88970d2 100644 --- a/goldilocks/charts/vpa/Chart.yaml +++ b/goldilocks/charts/vpa/Chart.yaml @@ -1,11 +1,11 @@ apiVersion: v2 -appVersion: 0.13.0 +appVersion: 0.14.0 dependencies: - alias: metrics-server condition: metrics-server.enabled name: metrics-server repository: https://kubernetes-sigs.github.io/metrics-server/ - version: 3.10.0 + version: 3.11.0 description: A Helm chart for Kubernetes Vertical Pod Autoscaler home: https://github.com/FairwindsOps/charts/tree/master/stable/vpa kubeVersion: '>= 1.21.0-0' @@ -16,4 +16,4 @@ sources: - https://github.com/FairwindsOps/charts/tree/master/stable/vpa - https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler type: application -version: 2.2.0 +version: 2.5.1 diff --git a/goldilocks/charts/vpa/README.md b/goldilocks/charts/vpa/README.md index 3d196b3..21821bb 100644 --- a/goldilocks/charts/vpa/README.md +++ b/goldilocks/charts/vpa/README.md @@ -113,8 +113,10 @@ recommender: | serviceAccount.name | string | `""` | The base name of the service account to use (appended with the component). If not set and create is true, a name is generated using the fullname template and appended for each component | | serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | | recommender.enabled | bool | `true` | If true, the vpa recommender component will be installed. | +| recommender.annotations | object | `{}` | Annotations to add to the recommender deployment | | recommender.extraArgs | object | `{"pod-recommendation-min-cpu-millicores":15,"pod-recommendation-min-memory-mb":100,"v":"4"}` | A set of key-value flags to be passed to the recommender | | recommender.replicaCount | int | `1` | | +| recommender.revisionHistoryLimit | int | `10` | The number of old replicasets to retain, default is 10, 0 will garbage-collect old replicasets | | recommender.podDisruptionBudget | object | `{}` | This is the setting for the pod disruption budget | | recommender.image.repository | string | `"registry.k8s.io/autoscaling/vpa-recommender"` | The location of the recommender image | | recommender.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | @@ -131,8 +133,10 @@ recommender: | recommender.affinity | object | `{}` | | | recommender.podMonitor | object | `{"annotations":{},"enabled":false,"labels":{}}` | Enables a prometheus operator podMonitor for the recommender | | updater.enabled | bool | `true` | If true, the updater component will be deployed | +| updater.annotations | object | `{}` | Annotations to add to the updater deployment | | updater.extraArgs | object | `{}` | A key-value map of flags to pass to the updater | | updater.replicaCount | int | `1` | | +| updater.revisionHistoryLimit | int | `10` | The number of old replicasets to retain, default is 10, 0 will garbage-collect old replicasets | | updater.podDisruptionBudget | object | `{}` | This is the setting for the pod disruption budget | | updater.image.repository | string | `"registry.k8s.io/autoscaling/vpa-updater"` | The location of the updater image | | updater.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | @@ -149,6 +153,7 @@ recommender: | updater.affinity | object | `{}` | | | updater.podMonitor | object | `{"annotations":{},"enabled":false,"labels":{}}` | Enables a prometheus operator podMonitor for the updater | | admissionController.enabled | bool | `true` | If true, will install the admission-controller component of vpa | +| admissionController.annotations | object | `{}` | Annotations to add to the admission controller deployment | | admissionController.extraArgs | object | `{}` | A key-value map of flags to pass to the admissionController | | admissionController.generateCertificate | bool | `true` | If true and admissionController is enabled, a pre-install hook will run to create the certificate for the webhook | | admissionController.secretName | string | `"{{ include \"vpa.fullname\" . }}-tls-secret"` | Name for the TLS secret created for the webhook. Default {{ .Release.Name }}-tls-secret | @@ -167,6 +172,7 @@ recommender: | admissionController.mutatingWebhookConfiguration.objectSelector | object | `{}` | The objectSelector can filter object on e.g. labels | | admissionController.mutatingWebhookConfiguration.timeoutSeconds | int | `30` | | | admissionController.replicaCount | int | `1` | | +| admissionController.revisionHistoryLimit | int | `10` | The number of old replicasets to retain, default is 10, 0 will garbage-collect old replicasets | | admissionController.podDisruptionBudget | object | `{}` | This is the setting for the pod disruption budget | | admissionController.image.repository | string | `"registry.k8s.io/autoscaling/vpa-admission-controller"` | The location of the vpa admission controller image | | admissionController.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | diff --git a/goldilocks/charts/vpa/charts/metrics-server/Chart.yaml b/goldilocks/charts/vpa/charts/metrics-server/Chart.yaml index 037f690..7c0f77a 100644 --- a/goldilocks/charts/vpa/charts/metrics-server/Chart.yaml +++ b/goldilocks/charts/vpa/charts/metrics-server/Chart.yaml @@ -1,15 +1,15 @@ annotations: artifacthub.io/changes: | - - kind: fixed - description: "Fixed auth-reader role binding namespace to always use kube-system." - - kind: fixed - description: "Fixed addon resizer configuration." - kind: added - description: "Added support for running under PodSecurity restricted." - - kind: fixed - description: "Fixed container port default not having been updated to 10250." + description: "Added default Metrics Server resource requests." + - kind: changed + description: "Updated the Metrics Server OCI image to v0.6.3." + - kind: changed + description: "Updated the addon resizer OCI image to v1.8.19." + - kind: changed + description: "Changed the default addon resizer nanny resource configuration to match the documented Metrics Server autoscaling values." apiVersion: v2 -appVersion: 0.6.3 +appVersion: 0.6.4 description: Metrics Server is a scalable, efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines. home: https://github.com/kubernetes-sigs/metrics-server @@ -29,4 +29,4 @@ name: metrics-server sources: - https://github.com/kubernetes-sigs/metrics-server type: application -version: 3.10.0 +version: 3.11.0 diff --git a/goldilocks/charts/vpa/charts/metrics-server/README.md b/goldilocks/charts/vpa/charts/metrics-server/README.md index a10cbae..50956b9 100644 --- a/goldilocks/charts/vpa/charts/metrics-server/README.md +++ b/goldilocks/charts/vpa/charts/metrics-server/README.md @@ -22,69 +22,69 @@ helm upgrade --install metrics-server metrics-server/metrics-server The following table lists the configurable parameters of the _Metrics Server_ chart and their default values. -| Parameter | Description | Default | -| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | -| `image.repository` | Image repository. | `registry.k8s.io/metrics-server/metrics-server` | -| `image.tag` | Image tag, will override the default tag derived from the chart app version. | `""` | -| `image.pullPolicy` | Image pull policy. | `IfNotPresent` | -| `imagePullSecrets` | Image pull secrets. | `[]` | -| `nameOverride` | Override the `name` of the chart. | `nil` | -| `fullnameOverride` | Override the `fullname` of the chart. | `nil` | -| `serviceAccount.create` | If `true`, create a new service account. | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account. | `{}` | -| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the full name template. | `nil` | -| `serviceAccount.secrets` | The list of secrets mountable by this service account. See https://kubernetes.io/docs/reference/labels-annotations-taints/#enforce-mountable-secrets | `[]` | -| `rbac.create` | If `true`, create the RBAC resources. | `true` | -| `rbac.pspEnabled` | If `true`, create a pod security policy resource. | `false` | -| `apiService.create` | If `true`, create the `v1beta1.metrics.k8s.io` API service. You typically want this enabled! If you disable API service creation you have to manage it outside of this chart for e.g horizontal pod autoscaling to work with this release. | `true` | -| `apiService.annotations` | Annotations to add to the API service | `{}` | -| `apiService.insecureSkipTLSVerify` | Specifies whether to skip TLS verification | `true` | -| `apiService.caBundle` | The PEM encoded CA bundle for TLS verification | `""` | -| `commonLabels` | Labels to add to each object of the chart. | `{}` | -| `podLabels` | Labels to add to the pod. | `{}` | -| `podAnnotations` | Annotations to add to the pod. | `{}` | -| `podSecurityContext` | Security context for the pod. | `{}` | -| `securityContext` | Security context for the _metrics-server_ container. | _See values.yaml_ | -| `priorityClassName` | Priority class name to use. | `system-cluster-critical` | -| `containerPort` | port for the _metrics-server_ container. | `10250` | -| `hostNetwork.enabled` | If `true`, start _metric-server_ in hostNetwork mode. You would require this enabled if you use alternate overlay networking for pods and API server unable to communicate with metrics-server. As an example, this is required if you use Weave network on EKS. | `false` | -| `replicas` | Number of replicas to run. | `1` | -| `updateStrategy` | Customise the default update strategy. | `{}` | -| `podDisruptionBudget.enabled` | If `true`, create `PodDisruptionBudget` resource. | `{}` | -| `podDisruptionBudget.minAvailable` | Set the `PodDisruptionBugdet` minimum available pods. | `nil` | -| `podDisruptionBudget.maxUnavailable` | Set the `PodDisruptionBugdet` maximum unavailable pods. | `nil` | -| `defaultArgs` | Default arguments to pass to the _metrics-server_ command. | See _values.yaml_ | -| `args` | Additional arguments to pass to the _metrics-server_ command. | `[]` | -| `livenessProbe` | Liveness probe. | See _values.yaml_ | -| `readinessProbe` | Readiness probe. | See _values.yaml_ | -| `service.type` | Service type. | `ClusterIP` | -| `service.port` | Service port. | `443` | -| `service.annotations` | Annotations to add to the service. | `{}` | -| `service.labels` | Labels to add to the service. | `{}` | -| `addonResizer.enabled` | If `true`, run the addon-resizer as a sidecar to automatically scale resource requests with cluster size. | `false` | -| `addonResizer.image.repository` | addon-resizer image repository | registry.k8s.io/autoscaling/addon-resizer | -| `addonResizer.image.tag` | addon-resizer image tag | 1.8.14 | -| `addonResizer.resources` | Resource requests and limits for the _nanny_ container. | `{limits: {cpu: 40m, memory: 25Mi}, requests: {cpu: 40m, memory: 25Mi}}` | -| `addonResizer.nanny.cpu` | The base CPU requirement. | 20m | -| `addonResizer.nanny.extraCPU` | The amount of CPU to add per node. | 1m | -| `addonResizer.nanny.extraMemory` | The amount of memory to add per node. | 2Mi | -| `addonResizer.nanny.memory` | The base memory requirement. | 15Mi | -| `addonResizer.nanny.minClusterSize` | Specifies the smallest number of nodes resources will be scaled to. | 10 | -| `addonResizer.nanny.pollPeriod` | The time, in milliseconds, to poll the dependent container. | 300000 | -| `addonResizer.nanny.threshold` | A number between 0-100. The dependent's resources are rewritten when they deviate from expected by more than threshold. | 5 | -| `metrics.enabled` | If `true`, allow unauthenticated access to `/metrics`. | `false` | -| `serviceMonitor.enabled` | If `true`, create a _Prometheus_ service monitor. This needs `metrics.enabled` to be `true`. | `false` | -| `serviceMonitor.additionalLabels` | Additional labels to be set on the ServiceMonitor. | `{}` | -| `serviceMonitor.metricRelabelings` | _Prometheus_ metric relabeling. | `[]` | -| `serviceMonitor.relabelings` | _Prometheus_ relabeling. | `[]` | -| `serviceMonitor.interval` | _Prometheus_ scrape frequency. | `1m` | -| `serviceMonitor.scrapeTimeout` | _Prometheus_ scrape timeout. | `10s` | -| `resources` | Resource requests and limits for the _metrics-server_ container. See https://github.com/kubernetes-sigs/metrics-server#scaling | `{}` | -| `extraVolumeMounts` | Additional volume mounts for the _metrics-server_ container. | `[]` | -| `extraVolumes` | Additional volumes for the pod. | `[]` | -| `nodeSelector` | Node labels for pod assignment. | `{}` | -| `tolerations` | Tolerations for pod assignment. | `[]` | -| `affinity` | Affinity for pod assignment. | `{}` | -| `topologySpreadConstraints` | Pod Topology Spread Constraints. | `[]` | -| `deploymentAnnotations` | Annotations to add to the deployment. | `{}` | -| `schedulerName` | scheduler to set to the deployment. | `""` | +| Parameter | Description | Default | +| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ | +| `image.repository` | Image repository. | `registry.k8s.io/metrics-server/metrics-server` | +| `image.tag` | Image tag, will override the default tag derived from the chart app version. | `""` | +| `image.pullPolicy` | Image pull policy. | `IfNotPresent` | +| `imagePullSecrets` | Image pull secrets. | `[]` | +| `nameOverride` | Override the `name` of the chart. | `nil` | +| `fullnameOverride` | Override the `fullname` of the chart. | `nil` | +| `serviceAccount.create` | If `true`, create a new service account. | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account. | `{}` | +| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the full name template. | `nil` | +| `serviceAccount.secrets` | The list of secrets mountable by this service account. See https://kubernetes.io/docs/reference/labels-annotations-taints/#enforce-mountable-secrets | `[]` | +| `rbac.create` | If `true`, create the RBAC resources. | `true` | +| `rbac.pspEnabled` | If `true`, create a pod security policy resource. | `false` | +| `apiService.create` | If `true`, create the `v1beta1.metrics.k8s.io` API service. You typically want this enabled! If you disable API service creation you have to manage it outside of this chart for e.g horizontal pod autoscaling to work with this release. | `true` | +| `apiService.annotations` | Annotations to add to the API service | `{}` | +| `apiService.insecureSkipTLSVerify` | Specifies whether to skip TLS verification | `true` | +| `apiService.caBundle` | The PEM encoded CA bundle for TLS verification | `""` | +| `commonLabels` | Labels to add to each object of the chart. | `{}` | +| `podLabels` | Labels to add to the pod. | `{}` | +| `podAnnotations` | Annotations to add to the pod. | `{}` | +| `podSecurityContext` | Security context for the pod. | `{}` | +| `securityContext` | Security context for the _metrics-server_ container. | _See values.yaml_ | +| `priorityClassName` | Priority class name to use. | `system-cluster-critical` | +| `containerPort` | port for the _metrics-server_ container. | `10250` | +| `hostNetwork.enabled` | If `true`, start _metric-server_ in hostNetwork mode. You would require this enabled if you use alternate overlay networking for pods and API server unable to communicate with metrics-server. As an example, this is required if you use Weave network on EKS. | `false` | +| `replicas` | Number of replicas to run. | `1` | +| `updateStrategy` | Customise the default update strategy. | `{}` | +| `podDisruptionBudget.enabled` | If `true`, create `PodDisruptionBudget` resource. | `{}` | +| `podDisruptionBudget.minAvailable` | Set the `PodDisruptionBugdet` minimum available pods. | `nil` | +| `podDisruptionBudget.maxUnavailable` | Set the `PodDisruptionBugdet` maximum unavailable pods. | `nil` | +| `defaultArgs` | Default arguments to pass to the _metrics-server_ command. | See _values.yaml_ | +| `args` | Additional arguments to pass to the _metrics-server_ command. | `[]` | +| `livenessProbe` | Liveness probe. | See _values.yaml_ | +| `readinessProbe` | Readiness probe. | See _values.yaml_ | +| `service.type` | Service type. | `ClusterIP` | +| `service.port` | Service port. | `443` | +| `service.annotations` | Annotations to add to the service. | `{}` | +| `service.labels` | Labels to add to the service. | `{}` | +| `addonResizer.enabled` | If `true`, run the addon-resizer as a sidecar to automatically scale resource requests with cluster size. | `false` | +| `addonResizer.image.repository` | addon-resizer image repository | `registry.k8s.io/autoscaling/addon-resizer` | +| `addonResizer.image.tag` | addon-resizer image tag | `1.8.19` | +| `addonResizer.resources` | Resource requests and limits for the _nanny_ container. | `{ requests: { cpu: 40m, memory: 25Mi }, limits: { cpu: 40m, memory: 25Mi } }` | +| `addonResizer.nanny.cpu` | The base CPU requirement. | `0m` | +| `addonResizer.nanny.extraCPU` | The amount of CPU to add per node. | `1m` | +| `addonResizer.nanny.memory` | The base memory requirement. | `0Mi` | +| `addonResizer.nanny.extraMemory` | The amount of memory to add per node. | `2Mi` | +| `addonResizer.nanny.minClusterSize` | Specifies the smallest number of nodes resources will be scaled to. | `100` | +| `addonResizer.nanny.pollPeriod` | The time, in milliseconds, to poll the dependent container. | `300000` | +| `addonResizer.nanny.threshold` | A number between 0-100. The dependent's resources are rewritten when they deviate from expected by more than threshold. | `5` | +| `metrics.enabled` | If `true`, allow unauthenticated access to `/metrics`. | `false` | +| `serviceMonitor.enabled` | If `true`, create a _Prometheus_ service monitor. This needs `metrics.enabled` to be `true`. | `false` | +| `serviceMonitor.additionalLabels` | Additional labels to be set on the ServiceMonitor. | `{}` | +| `serviceMonitor.metricRelabelings` | _Prometheus_ metric relabeling. | `[]` | +| `serviceMonitor.relabelings` | _Prometheus_ relabeling. | `[]` | +| `serviceMonitor.interval` | _Prometheus_ scrape frequency. | `1m` | +| `serviceMonitor.scrapeTimeout` | _Prometheus_ scrape timeout. | `10s` | +| `resources` | Resource requests and limits for the _metrics-server_ container. See https://github.com/kubernetes-sigs/metrics-server#scaling | `{ requests: { cpu: 100m, memory: 200Mi }}` | +| `extraVolumeMounts` | Additional volume mounts for the _metrics-server_ container. | `[]` | +| `extraVolumes` | Additional volumes for the pod. | `[]` | +| `nodeSelector` | Node labels for pod assignment. | `{}` | +| `tolerations` | Tolerations for pod assignment. | `[]` | +| `affinity` | Affinity for pod assignment. | `{}` | +| `topologySpreadConstraints` | Pod Topology Spread Constraints. | `[]` | +| `deploymentAnnotations` | Annotations to add to the deployment. | `{}` | +| `schedulerName` | scheduler to set to the deployment. | `""` | diff --git a/goldilocks/charts/vpa/charts/metrics-server/templates/deployment.yaml b/goldilocks/charts/vpa/charts/metrics-server/templates/deployment.yaml index 9f44be4..1d656fc 100644 --- a/goldilocks/charts/vpa/charts/metrics-server/templates/deployment.yaml +++ b/goldilocks/charts/vpa/charts/metrics-server/templates/deployment.yaml @@ -103,9 +103,8 @@ spec: - /pod_nanny - --config-dir=/etc/config - --deployment={{ include "metrics-server.fullname" . }} - - --threshold={{ .Values.addonResizer.nanny.threshold }} - - --deployment={{ include "metrics-server.fullname" . }} - --container=metrics-server + - --threshold={{ .Values.addonResizer.nanny.threshold }} - --poll-period={{ .Values.addonResizer.nanny.pollPeriod }} - --estimator=exponential - --minClusterSize={{ .Values.addonResizer.nanny.minClusterSize }} diff --git a/goldilocks/charts/vpa/charts/metrics-server/values.yaml b/goldilocks/charts/vpa/charts/metrics-server/values.yaml index 7520a94..fba10aa 100644 --- a/goldilocks/charts/vpa/charts/metrics-server/values.yaml +++ b/goldilocks/charts/vpa/charts/metrics-server/values.yaml @@ -127,20 +127,20 @@ addonResizer: enabled: false image: repository: registry.k8s.io/autoscaling/addon-resizer - tag: 1.8.14 + tag: 1.8.19 resources: - limits: - cpu: 40m - memory: 25Mi requests: cpu: 40m memory: 25Mi + limits: + cpu: 40m + memory: 25Mi nanny: - cpu: 20m + cpu: 0m extraCpu: 1m + memory: 0Mi extraMemory: 2Mi - memory: 15Mi - minClusterSize: 10 + minClusterSize: 100 pollPeriod: 300000 threshold: 5 @@ -156,7 +156,13 @@ serviceMonitor: relabelings: [] # See https://github.com/kubernetes-sigs/metrics-server#scaling -resources: {} +resources: + requests: + cpu: 100m + memory: 200Mi + # limits: + # cpu: + # memory: extraVolumeMounts: [] diff --git a/goldilocks/charts/vpa/ci/test-values.yaml b/goldilocks/charts/vpa/ci/test-values.yaml index 00b4602..84efcd7 100644 --- a/goldilocks/charts/vpa/ci/test-values.yaml +++ b/goldilocks/charts/vpa/ci/test-values.yaml @@ -1,15 +1,24 @@ recommender: enabled: true + annotations: + foo: bar + "foo.io/deploy-repo": "https://gitlab.com/foo/myrepo" podLabels: app: test foo: bar updater: enabled: true + annotations: + foo: bar + "foo.io/deploy-repo": "https://gitlab.com/foo/myrepo" podLabels: app: test foo: bar admissionController: enabled: true + annotations: + foo: bar + "foo.io/deploy-repo": "https://gitlab.com/foo/myrepo" extraArgs: v: "4" generateCertificate: true diff --git a/goldilocks/charts/vpa/templates/admission-controller-deployment.yaml b/goldilocks/charts/vpa/templates/admission-controller-deployment.yaml index 1c26906..5ab28de 100644 --- a/goldilocks/charts/vpa/templates/admission-controller-deployment.yaml +++ b/goldilocks/charts/vpa/templates/admission-controller-deployment.yaml @@ -2,12 +2,19 @@ apiVersion: apps/v1 kind: Deployment metadata: + {{- if .Values.admissionController.annotations }} + annotations: + {{- .Values.admissionController.annotations | toYaml | nindent 4 }} + {{- end }} name: {{ include "vpa.fullname" . }}-admission-controller labels: app.kubernetes.io/component: admission-controller {{- include "vpa.labels" . | nindent 4 }} spec: replicas: {{ .Values.admissionController.replicaCount }} + {{- if .Values.admissionController.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.admissionController.revisionHistoryLimit }} + {{- end }} selector: matchLabels: app.kubernetes.io/component: admission-controller diff --git a/goldilocks/charts/vpa/templates/admission-controller-pdb.yaml b/goldilocks/charts/vpa/templates/admission-controller-pdb.yaml index c203a69..94ab1f7 100644 --- a/goldilocks/charts/vpa/templates/admission-controller-pdb.yaml +++ b/goldilocks/charts/vpa/templates/admission-controller-pdb.yaml @@ -9,5 +9,5 @@ spec: selector: matchLabels: app.kubernetes.io/component: admission-controller - app.kubernetes.io/name: {{ template "vpa.fullname" . }} + app.kubernetes.io/name: {{ template "vpa.name" . }} {{- end }} diff --git a/goldilocks/charts/vpa/templates/recommender-deployment.yaml b/goldilocks/charts/vpa/templates/recommender-deployment.yaml index d6ec515..9ac23c5 100644 --- a/goldilocks/charts/vpa/templates/recommender-deployment.yaml +++ b/goldilocks/charts/vpa/templates/recommender-deployment.yaml @@ -2,12 +2,19 @@ apiVersion: apps/v1 kind: Deployment metadata: + {{- if .Values.recommender.annotations }} + annotations: + {{- .Values.recommender.annotations | toYaml | nindent 4 }} + {{- end }} name: {{ include "vpa.fullname" . }}-recommender labels: app.kubernetes.io/component: recommender {{- include "vpa.labels" . | nindent 4 }} spec: replicas: {{ .Values.recommender.replicaCount }} + {{- if .Values.recommender.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.recommender.revisionHistoryLimit }} + {{- end }} selector: matchLabels: app.kubernetes.io/component: recommender diff --git a/goldilocks/charts/vpa/templates/recommender-pdb.yaml b/goldilocks/charts/vpa/templates/recommender-pdb.yaml index d4d238b..6a16ce0 100644 --- a/goldilocks/charts/vpa/templates/recommender-pdb.yaml +++ b/goldilocks/charts/vpa/templates/recommender-pdb.yaml @@ -9,5 +9,5 @@ spec: selector: matchLabels: app.kubernetes.io/component: recommender - app.kubernetes.io/name: {{ template "vpa.fullname" . }} + app.kubernetes.io/name: {{ template "vpa.name" . }} {{- end }} diff --git a/goldilocks/charts/vpa/templates/updater-deployment.yaml b/goldilocks/charts/vpa/templates/updater-deployment.yaml index 0f99d32..285c398 100644 --- a/goldilocks/charts/vpa/templates/updater-deployment.yaml +++ b/goldilocks/charts/vpa/templates/updater-deployment.yaml @@ -2,12 +2,19 @@ apiVersion: apps/v1 kind: Deployment metadata: + {{- if .Values.updater.annotations }} + annotations: + {{- .Values.updater.annotations | toYaml | nindent 4 }} + {{- end }} name: {{ include "vpa.fullname" . }}-updater labels: app.kubernetes.io/component: updater {{- include "vpa.labels" . | nindent 4 }} spec: replicas: {{ .Values.updater.replicaCount }} + {{- if .Values.updater.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.updater.revisionHistoryLimit }} + {{- end }} selector: matchLabels: app.kubernetes.io/component: updater diff --git a/goldilocks/charts/vpa/templates/updater-pdb.yaml b/goldilocks/charts/vpa/templates/updater-pdb.yaml index 4c1c304..e9ea1f7 100644 --- a/goldilocks/charts/vpa/templates/updater-pdb.yaml +++ b/goldilocks/charts/vpa/templates/updater-pdb.yaml @@ -9,5 +9,5 @@ spec: selector: matchLabels: app.kubernetes.io/component: updater - app.kubernetes.io/name: {{ template "vpa.fullname" . }} + app.kubernetes.io/name: {{ template "vpa.name" . }} {{- end }} diff --git a/goldilocks/charts/vpa/values.yaml b/goldilocks/charts/vpa/values.yaml index fc332f1..89cde5f 100644 --- a/goldilocks/charts/vpa/values.yaml +++ b/goldilocks/charts/vpa/values.yaml @@ -30,12 +30,16 @@ serviceAccount: recommender: # recommender.enabled -- If true, the vpa recommender component will be installed. enabled: true + # recommender.annotations -- Annotations to add to the recommender deployment + annotations: {} # recommender.extraArgs -- A set of key-value flags to be passed to the recommender extraArgs: v: "4" pod-recommendation-min-cpu-millicores: 15 pod-recommendation-min-memory-mb: 100 replicaCount: 1 + # recommender.revisionHistoryLimit -- The number of old replicasets to retain, default is 10, 0 will garbage-collect old replicasets + revisionHistoryLimit: 10 # recommender.podDisruptionBudget -- This is the setting for the pod disruption budget podDisruptionBudget: {} # maxUnavailable: 1 @@ -96,9 +100,13 @@ recommender: updater: # updater.enabled -- If true, the updater component will be deployed enabled: true + # updater.annotations -- Annotations to add to the updater deployment + annotations: {} # updater.extraArgs -- A key-value map of flags to pass to the updater extraArgs: {} replicaCount: 1 + # updater.revisionHistoryLimit -- The number of old replicasets to retain, default is 10, 0 will garbage-collect old replicasets + revisionHistoryLimit: 10 # updater.podDisruptionBudget -- This is the setting for the pod disruption budget podDisruptionBudget: {} # maxUnavailable: 1 @@ -159,6 +167,8 @@ updater: admissionController: # admissionController.enabled -- If true, will install the admission-controller component of vpa enabled: true + # admissionController.annotations -- Annotations to add to the admission controller deployment + annotations: {} # admissionController.extraArgs -- A key-value map of flags to pass to the admissionController extraArgs: {} # admissionController.generateCertificate -- If true and admissionController is enabled, a pre-install hook will run to create the certificate for the webhook @@ -196,6 +206,8 @@ admissionController: timeoutSeconds: 30 replicaCount: 1 + # admissionController.revisionHistoryLimit -- The number of old replicasets to retain, default is 10, 0 will garbage-collect old replicasets + revisionHistoryLimit: 10 # admissionController.podDisruptionBudget -- This is the setting for the pod disruption budget podDisruptionBudget: {} # maxUnavailable: 1 diff --git a/goldilocks/templates/controller-clusterrole.yaml b/goldilocks/templates/controller-clusterrole.yaml index c1cf9f1..11284ff 100644 --- a/goldilocks/templates/controller-clusterrole.yaml +++ b/goldilocks/templates/controller-clusterrole.yaml @@ -18,6 +18,15 @@ rules: - 'get' - 'list' - 'watch' + - apiGroups: + - 'batch' + resources: + - 'cronjobs' + - 'jobs' + verbs: + - 'get' + - 'list' + - 'watch' - apiGroups: - '' resources: diff --git a/goldilocks/values-home.yaml b/goldilocks/values-home.yaml index 3707c9f..e2c06f7 100644 --- a/goldilocks/values-home.yaml +++ b/goldilocks/values-home.yaml @@ -3,7 +3,7 @@ uninstallVPA: false vpa: # vpa.enabled -- If true, the vpa will be installed as a sub-chart - enabled: false + enabled: true updater: enabled: false diff --git a/goldilocks/values.yaml b/goldilocks/values.yaml index 9593900..3fe2604 100644 --- a/goldilocks/values.yaml +++ b/goldilocks/values.yaml @@ -17,7 +17,7 @@ image: # image.repository -- Repository for the goldilocks image repository: us-docker.pkg.dev/fairwinds-ops/oss/goldilocks # image.tag -- The goldilocks image tag to use - tag: v4.9.0 + tag: v4.10.0 # image.pullPolicy -- imagePullPolicy - Highly recommended to leave this as `Always` pullPolicy: Always @@ -61,14 +61,14 @@ controller: topologySpreadConstraints: [] # controller.resources -- The resources block for the controller pods resources: - limits: - cpu: 25m - memory: 256Mi + limits: {} requests: cpu: 25m memory: 256Mi # controller.podSecurityContext -- Defines the podSecurityContext for the controller pod - podSecurityContext: {} + podSecurityContext: + seccompProfile: + type: RuntimeDefault # controller.securityContext -- The container securityContext for the controller container securityContext: readOnlyRootFilesystem: true @@ -160,14 +160,14 @@ dashboard: # dashboard.resources -- A resources block for the dashboard. resources: - limits: - cpu: 25m - memory: 256Mi + limits: {} requests: cpu: 25m memory: 256Mi # dashboard.podSecurityContext -- Defines the podSecurityContext for the dashboard pod - podSecurityContext: {} + podSecurityContext: + seccompProfile: + type: RuntimeDefault # dashboard.securityContext -- The container securityContext for the dashboard container securityContext: readOnlyRootFilesystem: true